Edit tour

Windows Analysis Report
Payload.exe

Overview

General Information

Sample name:	Payload.exe
Analysis ID:	1555217
MD5:	a0044986eec99f4b05358f1457be6ee8
SHA1:	bed5076d966b94c942487fd04e7074e861235ba2
SHA256:	24c7c6cc3124b20c717ac485e263193e351f0ab2e672b353b38688ba218bda9a
Infos:

Detection

Python Stealer, BLX Stealer, XLABB Grabber

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected BLX Stealer

Yara detected XLABB Grabber

AI detected suspicious sample

Drops PE files to the startup folder

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal communication platform credentials (via file / registry access)

Yara detected Generic Python Stealer

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Payload.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

Payload.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

cmd.exe (PID: 6676 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7000 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6008 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5012 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

Payload.exe (PID: 6800 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

Payload.exe (PID: 3704 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe" MD5: A0044986EEC99F4B05358F1457BE6EE8)

cmd.exe (PID: 5904 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7032 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3164 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3568 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XLABBGrabber	Yara detected XLABB Grabber	Joe Security
00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BLXStealer	Yara detected BLX Stealer	Joe Security
0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_XLABBGrabber	Yara detected XLABB Grabber	Joe Security
0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_BLXStealer	Yara detected BLX Stealer	Joe Security
Process Memory Space: Payload.exe PID: 6612	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
Process Memory Space: Payload.exe PID: 6612	JoeSecurity_XLABBGrabber	Yara detected XLABB Grabber	Joe Security
Process Memory Space: Payload.exe PID: 6612	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payload.exe PID: 6612	JoeSecurity_BLXStealer	Yara detected BLX Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Payload.exe, ProcessId: 6612, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T15:59:15.003634+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49732	TCP
2024-11-13T15:59:53.633022+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49793	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payload.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Payload.exe

ReversingLabs: Detection: 58%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 81.0% probability

Source: Payload.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063412060.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdbc source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: Payload.exe, 0000000C.00000003.2059571201.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Payload.exe, 00000000.00000003.1839189648.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059270943.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061657930.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062418693.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060408560.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\engine\tb_digest.cENGINE_get_digestcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062626198.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059956272.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Payload.exe, 00000000.00000003.1835590847.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049930758.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062219654.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062418693.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060778643.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: Payload.exe, 00000000.00000003.1839001201.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059042237.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063858476.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061758960.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060666720.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2053217280.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061013716.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059483913.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062219654.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063858476.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: Payload.exe, 0000000D.00000002.3722558012.00007FFDFFB50000.00000002.00000001.01000000.0000005F.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059798725.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061657930.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Payload.exe, 0000000C.00000003.2061528722.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060666720.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: Payload.exe, 0000000D.00000002.3721942877.00007FFDFFADC000.00000002.00000001.01000000.00000061.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2054593515.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3720321686.00007FFDFA796000.00000002.00000001.01000000.00000067.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063014790.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Payload.exe, 00000000.00000003.1835438176.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049682826.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Payload.exe, 0000000C.00000003.2060294282.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061274932.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063732239.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Payload.exe, 0000000C.00000003.2060887502.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: Payload.exe, 00000000.00000003.1839189648.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059270943.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060181236.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060294282.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060554410.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Payload.exe, 0000000C.00000003.2078830560.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3724256302.00007FFE1A4F3000.00000002.00000001.01000000.0000005C.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063014790.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061151360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: Payload.exe, 00000000.00000003.1839001201.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059042237.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063186076.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057815992.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3701223012.00007FFDF8512000.00000002.00000001.01000000.0000008C.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063982918.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060066285.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061400403.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: Payload.exe, 0000000D.00000002.3722558012.00007FFDFFB50000.00000002.00000001.01000000.0000005F.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061151360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Payload.exe, 00000001.00000002.3703248378.00007FFDFAC05000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062626198.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063732239.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062776082.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060408560.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Payload.exe, 00000001.00000002.3705639389.00007FFDFAFF2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063596360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Payload.exe, 00000000.00000003.1835438176.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049682826.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2053951617.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061929014.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059956272.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061400403.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062904631.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059798725.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3720136912.00007FFDFA777000.00000002.00000001.01000000.00000069.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059377948.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060778643.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059483913.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061528722.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063186076.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062120635.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061929014.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: Payload.exe, 00000000.00000003.1839101463.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059151077.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050945765.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3724039172.00007FFE11BED000.00000002.00000001.01000000.00000059.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059377948.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdb source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Payload.exe, 00000000.00000003.1835590847.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049930758.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063596360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062120635.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Payload.exe, 00000001.00000002.3700629261.00007FFDFAAA0000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Payload.exe, 00000001.00000002.3705639389.00007FFDFAFF2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: crypto\bn\bn_ctx.cBN_CTX_startBN_CTX_getossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcrypto\evp\digest.cevp_md_ctx_new_exevp_md_ctx_free_algctxevp_md_init_internalEVP_DigestUpdatesizeEVP_DigestFinal_exassertion failed: mdsize <= EVP_MAX_MD_SIZEEVP_DigestFinalXOFxoflenEVP_MD_CTX_copy_exEVP_MD_CTX_ctrlmicalgssl3-msblocksizexofalgid-absentevp_md_from_algorithmupdatecrypto\evp\m_sigver.cUNDEFdo_sigver_initEVP_DigestSignUpdateEVP_DigestVerifyUpdateEVP_DigestSignFinalEVP_DigestSignEVP_DigestVerifyFinalEVP_DigestVerifycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Fri Oct 18 00:15:00 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061013716.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059571201.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Payload.exe, 00000000.00000003.1839101463.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059151077.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062028496.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062904631.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060066285.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062776082.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063982918.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061758960.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061274932.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Payload.exe, 00000001.00000002.3703248378.00007FFDFAC05000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: Payload.exe, 0000000C.00000003.2059688565.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2053217280.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060181236.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2055776896.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060554410.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063412060.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: Payload.exe, 0000000C.00000003.2060887502.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: Payload.exe, 0000000D.00000002.3721942877.00007FFDFFADC000.00000002.00000001.01000000.00000061.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Payload.exe, 00000001.00000002.3684672980.000001BB2F560000.00000002.00000001.01000000.00000007.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062028496.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B49280 FindFirstFileExW,FindClose,	0_2_00007FF6D3B49280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6D3B483C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6D3B61874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B49280 FindFirstFileExW,FindClose,	1_2_00007FF6D3B49280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6D3B483C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6D3B61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B409280 FindFirstFileExW,FindClose,	12_2_00007FF71B409280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	12_2_00007FF71B4083C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B421874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00007FF71B421874

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49732
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49793

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: Payload.exe, 00000001.00000002.3691098089.000001BB33290000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: Payload.exe, 00000001.00000002.3702072980.00007FFDFAB05000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://.css
Source: Payload.exe, 00000001.00000002.3702072980.00007FFDFAB05000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://.jpg
Source: Payload.exe, 00000001.00000002.3690163722.000001BB32E90000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689962769.000002A26EF40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: Payload.exe, 00000001.00000002.3692076601.000001BB33AB0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689454448.000001BB32BED000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33DF1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689170720.000001BB32A75000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B65000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB3271C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689029039.000002A26EB61000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FEC2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2053217280.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.cod
Source: Payload.exe, 00000000.00000003.1838407896.00000178B86D0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057815992.000001F0B2903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Payload.exe, 00000000.00000003.1838407896.00000178B86D0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057815992.000001F0B2903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: Payload.exe, 00000001.00000003.1888805316.000001BB315FC000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1877194604.000001BB316BC000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1888805316.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1877497191.000001BB316E6000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3155D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875469225.000001BB316C4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2103785691.000002A26DBDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: Payload.exe, 00000001.00000003.1875114007.000001BB31AE9000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875114007.000001BB31A81000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3155D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875435160.000001BB31AF8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875629440.000001BB31564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3684768211.000001BB2F5F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688294290.000002A26E721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB3268F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl1
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlgoc
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688294290.000002A26E721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlp
Source: Payload.exe, 00000000.00000003.1838407896.00000178B86D0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057815992.000001F0B2903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Payload.exe, 0000000C.00000003.2053217280.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Payload.exe, 00000001.00000002.3692076601.000001BB33AB0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB3271C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33DF1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689454448.000001BB32BED000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689170720.000001BB32A75000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B65000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689029039.000002A26EB61000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: Payload.exe, 00000001.00000002.3692076601.000001BB33AB0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3694770881.000001BB35554000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3694770881.000001BB35574000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3694556521.000001BB35450000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691466187.000001BB33590000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3694394745.000001BB35350000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691098089.000001BB33290000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691343035.000001BB33490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DE70000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691152828.000002A26F540000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691276421.000002A26F650000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689029039.000002A26EB61000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FDC1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FEC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: Payload.exe, 00000001.00000002.3691098089.000001BB33290000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Payload.exe, 00000001.00000002.3690747143.000001BB33090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: Payload.exe, 00000001.00000002.3690747143.000001BB33090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: Payload.exe, 00000001.00000002.3690321175.000001BB32F90000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690102416.000002A26F040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: Payload.exe, 00000001.00000002.3687707547.000001BB320B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687451811.000001BB31E90000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875548653.000001BB31A19000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875469225.000001BB316B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2115108381.000002A26E74A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688294290.000002A26E721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: Payload.exe, 00000001.00000002.3687451811.000001BB31E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Payload.exe, 00000001.00000002.3688335194.000001BB32742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Payload.exe, 00000001.00000002.3702072980.00007FFDFAB05000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: Payload.exe, 00000001.00000002.3691466187.000001BB33590000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691276421.000002A26F650000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Payload.exe, 00000000.00000003.1838407896.00000178B86D0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057815992.000001F0B2903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Payload.exe, 00000000.00000003.1838407896.00000178B86D0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057815992.000001F0B2903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Payload.exe, 00000001.00000002.3687451811.000001BB31E90000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687325108.000001BB31D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.org/licenses/BSD-3-Clause
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python-lz4.readthedocs.io/en/latest/
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python-lz4.readthedocs.io/en/stable/
Source: Payload.exe, 00000001.00000002.3691864276.000001BB339B2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: Payload.exe, 00000001.00000002.3691864276.000001BB339B2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org:80
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3686554442.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/7
Source: Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: Payload.exe, 00000001.00000002.3694556521.000001BB35450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.html
Source: Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB3271C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: Payload.exe, 00000001.00000002.3694770881.000001BB35554000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3694556521.000001BB35450000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691466187.000001BB33590000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691276421.000002A26F650000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FEC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: Payload.exe, 00000001.00000002.3691098089.000001BB33290000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692136441.000002A26FC14000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlC
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: Payload.exe, 00000001.00000002.3687325108.000001BB31D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/vg
Source: Payload.exe, 00000001.00000003.1875114007.000001BB31A81000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A2A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB3271C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FEC2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: Payload.exe, 00000001.00000002.3691343035.000001BB33490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691152828.000002A26F540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28FE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2071353785.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Payload.exe, 00000001.00000002.3688335194.000001BB3268F000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: Payload.exe, 00000001.00000003.1875114007.000001BB31A81000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FDC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: Payload.exe, 00000001.00000003.1875114007.000001BB31A81000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A2A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688294290.000002A26E721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692136441.000002A26FC14000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FEC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689993388.000001BB32D40000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://127.0.0.1:8443
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: Payload.exe, 0000000D.00000002.3694965313.000002A271850000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.comot-info
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)
Source: Payload.exe, 00000001.00000002.3689547389.000001BB32C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brew.sh
Source: Payload.exe, 00000001.00000002.3692167056.000001BB33B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.py
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3693641952.000001BB34A80000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B1A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687707547.000001BB320B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1207404349177724988/1247483882857828352/Picsart_24-06-04_12-3
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: Payload.exe, 0000000D.00000002.3716644790.00007FFDFA3BB000.00000002.00000001.01000000.00000071.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/python-lz4/python-lz4
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/python-lz4/python-lz4/branch/codecov/graph/badge.svg
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: Payload.exe, 00000001.00000002.3691715331.000001BB338B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691508373.000002A26F970000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/hazmat/
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689993388.000001BB32D40000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
Source: Payload.exe, 00000001.00000002.3689993388.000001BB32D40000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3
Source: Payload.exe, 00000001.00000002.3691715331.000001BB338B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691508373.000002A26F970000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)
Source: Payload.exe, 00000001.00000002.3694394745.000001BB35350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/guilds/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v
Source: Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3694556521.000001BB35450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/
Source: Payload.exe, 00000001.00000002.3690747143.000001BB33090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1297535549556396133/ve261trT7MNuWrlMT1bnnjDbtyFOhfHK7UO0xzUt7Hpz9EX
Source: Payload.exe, 0000000D.00000002.3694048579.000002A271310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/
Source: Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/developers/applications/
Source: Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/events/
Source: Payload.exe, 00000001.00000002.3693947132.000001BB35040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/oauth2/authorize?client_id=
Source: Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg
Source: Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.ggN
Source: Payload.exe, 00000001.00000002.3694556521.000001BB35450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.new/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)
Source: Payload.exe, 00000001.00000002.3692167056.000001BB33B1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/clienQ;
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FDC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3693641952.000001BB34A80000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: Payload.exe, 00000001.00000002.3685967283.000001BB31550000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: Payload.exe, 00000001.00000002.3689859176.000001BB32C71000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html
Source: Payload.exe, 00000001.00000002.3693641952.000001BB34A80000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
Source: Payload.exe, 00000001.00000002.3685123722.000001BB30EE0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3685355738.000002A26D070000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685553670.000001BB31130000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: Payload.exe, 00000001.00000002.3685123722.000001BB30EE0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3685355738.000002A26D070000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685123722.000001BB30F68000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685123722.000001BB30F68000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685553670.000001BB31130000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: Payload.exe, 00000001.00000002.3685123722.000001BB30EE0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3685355738.000002A26D070000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685553670.000001BB31130000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3684768211.000001BB2F5F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2091404363.000002A26B69D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2090283179.000002A26B6A0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3684401189.000002A26B639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: Payload.exe, 00000001.00000002.3685675984.000001BB31346000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2098713343.000002A26D884000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2099043654.000002A26D884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1888720972.000001BB31A88000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1889095317.000001BB31D0F000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1888720972.000001BB31A88000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1889095317.000001BB31D0F000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: Payload.exe, 00000001.00000003.1882892267.000001BB32591000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2111006559.000002A26DC83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: Payload.exe, 00000001.00000003.1876464206.000001BB31BDE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1882931783.000001BB31D4A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1876464206.000001BB31B76000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1882892267.000001BB32591000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FDC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/regex/latest/regex/#syntax
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://file.io
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filepreviews.io/
Source: Payload.exe, 00000001.00000002.3690747143.000001BB33090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: Payload.exe, 00000001.00000003.1877625811.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1878743429.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d9
Source: Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688156970.000001BB32490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2111006559.000002A26DC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Rapptz/discord.py
Source: Payload.exe, 00000001.00000002.3691466187.000001BB33590000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691343035.000001BB33490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691152828.000002A26F540000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691276421.000002A26F650000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ThomasHabets/arping
Source: Payload.exe, 00000001.00000002.3685675984.000001BB31330000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3684768211.000001BB2F5F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2091404363.000002A26B69D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2090283179.000002A26B6A0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3684401189.000002A26B639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3693641952.000001BB34A80000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B1A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691343035.000001BB33490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691152828.000002A26F540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/borisbabic/browser_cookie3/issues/new
Source: Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/borisbabic/browser_cookie3/issues/newPa
Source: Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/borisbabic/browser_cookie3/issues/newPas3
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/freyacodes/Lavalink
Source: Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: Payload.exe, 00000001.00000002.3688156970.000001BB32490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687451811.000001BB31E90000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2103785691.000002A26DBDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lz4/lz4/blob/dev/doc/lz4_Block_format.md
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lz4/lz4/blob/master/doc/lz4_Frame_format.md
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/lz4/lz4/blob/master/examples/streaming_api_basics.md
Source: Payload.exe, 00000000.00000003.1835112277.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2078160853.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2078470286.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2048637747.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3722192742.00007FFDFFB24000.00000002.00000001.01000000.00000061.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging02d2
Source: Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging62d2
Source: Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: Payload.exe, 00000001.00000002.3686447175.000001BB31870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1328)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1329)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1330)
Source: Payload.exe, 00000001.00000002.3689859176.000001BB32C71000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: Payload.exe, 00000001.00000002.3688335194.000001BB3268F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: Payload.exe, 00000001.00000002.3689859176.000001BB32C71000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4/actions/workflows/build_dist.yml
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4/actions/workflows/build_dist.yml/badge.svg
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-lz4/python-lz4/issues
Source: Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685123722.000001BB30F68000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Payload.exe, 0000000D.00000002.3684401189.000002A26B639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Payload.exe, 00000001.00000002.3685675984.000001BB31330000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3684768211.000001BB2F5F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2091404363.000002A26B69D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2090283179.000002A26B6A0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3684401189.000002A26B639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Payload.exe, 00000001.00000003.1871919658.000001BB3168E000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1872546038.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1877194604.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870123075.000001BB316E4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873901840.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875629440.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1888805316.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870422272.000001BB31696000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870785804.000001BB31696000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870383769.000001BB316E4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2093949784.000002A26D85F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3693641952.000001BB34A80000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B1A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek).
Source: Payload.exe, 00000001.00000002.3685675984.000001BB31330000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3684768211.000001BB2F5F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2091404363.000002A26B69D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2090283179.000002A26B6A0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3684401189.000002A26B639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Payload.exe, 00000001.00000002.3690747143.000001BB33090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920n
Source: Payload.exe, 00000001.00000002.3691098089.000001BB33290000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688294290.000002A26E721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: Payload.exe, 00000001.00000002.3694241619.000001BB35250000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3694048579.000002A271310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://i.scdn.co/image/
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: Payload.exe, 00000001.00000003.1873901840.000001BB316C4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1872546038.000001BB316C4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1871919658.000001BB316C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/late
Source: Payload.exe, 00000001.00000003.1871919658.000001BB316C4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687325108.000001BB31D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: Payload.exe, 0000000D.00000002.3686590415.000002A26DE70000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2115108381.000002A26E74A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klaviyo.com/
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lz4.github.io/lz4/
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: Payload.exe, 00000001.00000002.3694241619.000001BB35250000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3694048579.000002A271310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/
Source: Payload.exe, 00000001.00000002.3694241619.000001BB35250000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3694048579.000002A271310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/stickers/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)
Source: Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3155D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: Payload.exe, 00000001.00000002.3694241619.000001BB35250000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3694048579.000002A271310000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/track/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)
Source: Payload.exe, 00000001.00000002.3691466187.000001BB33590000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691343035.000001BB33490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691152828.000002A26F540000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691276421.000002A26F650000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packages.debian.org/sid/iputils-arping
Source: Payload.exe, 00000001.00000003.1889642878.000001BB32652000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1889095317.000001BB31D0F000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3686554442.000001BB31D0D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1890145261.000001BB31D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: Payload.exe, 00000001.00000002.3688156970.000001BB32490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687707547.000001BB320B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)
Source: Payload.exe, 00000001.00000003.1868860452.000001BB315D7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685855881.000001BB31450000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1869275423.000001BB315D7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1868282039.000001BB315D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0649/)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0749/)-implementing
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)
Source: Payload.exe, 00000001.00000002.3688947634.000001BB328B3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B65000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692136441.000002A26FC48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://projectfluent.org
Source: Payload.exe, 00000001.00000002.3691864276.000001BB339B2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyopenssl.org/
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/attrs/)
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/blxsi/asdasdas/main/inject.js
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/python-lz4/
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/python-lz4/badge/?version=stable
Source: Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1877625811.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688156970.000001BB32490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1878743429.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2111006559.000002A26DC36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.ioPp?3
Source: Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.ioPpJo
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)
Source: Payload.exe, 00000001.00000003.1874334145.000001BB3156B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1872427392.000001BB31A7D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1872427392.000001BB31A26000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3155D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875629440.000001BB31564000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2108150942.000002A26D771000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2104857939.000002A26D771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: Payload.exe, 00000001.00000002.3687707547.000001BB320B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)
Source: Payload.exe, 00000001.00000003.1889095317.000001BB31B85000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1876464206.000001BB31BDE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1879594088.000001BB31BA1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1882931783.000001BB31D4A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3686554442.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1888805316.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1876464206.000001BB31B76000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3155D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1882892267.000001BB32591000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2111006559.000002A26DC83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://superfurrycdn.nl/copy/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)
Source: Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33DF1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB3271C000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FEC2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)
Source: Payload.exe, 00000001.00000002.3687325108.000001BB31D90000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: Payload.exe, 00000001.00000002.3685675984.000001BB31346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: Payload.exe, 0000000C.00000003.2068171030.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: Payload.exe, 0000000C.00000003.2068444697.000001F0B2906000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2068171030.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2068171030.000001F0B2905000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/FilePreviews.svg
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Klaviyo.svg
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Tidelift.svg
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Variomedia.svg
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes)
Source: Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.github.com/python-lz4/python-lz4
Source: Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.t
Source: Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33E47000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FDC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688294290.000002A26E721000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.manpagez.com/man/8/networksetup/
Source: Payload.exe, 00000001.00000002.3706081701.00007FFDFB133000.00000002.00000001.01000000.00000016.sdmp, Payload.exe, 00000001.00000002.3703528374.00007FFDFAC40000.00000002.00000001.01000000.00000015.sdmp, Payload.exe, 0000000C.00000003.2072972050.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3712125829.00007FFDF9503000.00000002.00000001.01000000.00000065.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Payload.exe, 00000001.00000002.3691715331.000001BB338B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689859176.000001BB32C71000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691508373.000002A26F970000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
Source: Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_verify_cert_error_string.html#ERROR-CODES
Source: Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man5/
Source: Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: Payload.exe, 00000001.00000002.3685123722.000001BB30EE0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3685355738.000002A26D070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: Payload.exe, 0000000D.00000002.3712947652.00007FFDF9938000.00000004.00000001.01000000.00000054.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.variomedia.de/
Source: Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)
Source: Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B65C00	0_2_00007FF6D3B65C00
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B489E0	0_2_00007FF6D3B489E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B66964	0_2_00007FF6D3B66964
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B608C8	0_2_00007FF6D3B608C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B41000	0_2_00007FF6D3B41000
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B55D30	0_2_00007FF6D3B55D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B4ACAD	0_2_00007FF6D3B4ACAD
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B4A474	0_2_00007FF6D3B4A474
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B52C10	0_2_00007FF6D3B52C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B63C10	0_2_00007FF6D3B63C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B66418	0_2_00007FF6D3B66418
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B608C8	0_2_00007FF6D3B608C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B51B50	0_2_00007FF6D3B51B50
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B4A2DB	0_2_00007FF6D3B4A2DB
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B5DA5C	0_2_00007FF6D3B5DA5C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B539A4	0_2_00007FF6D3B539A4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B51944	0_2_00007FF6D3B51944
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B52164	0_2_00007FF6D3B52164
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B580E4	0_2_00007FF6D3B580E4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B640AC	0_2_00007FF6D3B640AC
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B61874	0_2_00007FF6D3B61874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B49800	0_2_00007FF6D3B49800
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B58794	0_2_00007FF6D3B58794
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B51740	0_2_00007FF6D3B51740
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B51F60	0_2_00007FF6D3B51F60
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B69728	0_2_00007FF6D3B69728
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B5DEF0	0_2_00007FF6D3B5DEF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B65E7C	0_2_00007FF6D3B65E7C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B59EA0	0_2_00007FF6D3B59EA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B535A0	0_2_00007FF6D3B535A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B51D54	0_2_00007FF6D3B51D54
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B5E570	0_2_00007FF6D3B5E570
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B65C00	1_2_00007FF6D3B65C00
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B66964	1_2_00007FF6D3B66964
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B41000	1_2_00007FF6D3B41000
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B55D30	1_2_00007FF6D3B55D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B4ACAD	1_2_00007FF6D3B4ACAD
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B4A474	1_2_00007FF6D3B4A474
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B52C10	1_2_00007FF6D3B52C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B63C10	1_2_00007FF6D3B63C10
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B66418	1_2_00007FF6D3B66418
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B608C8	1_2_00007FF6D3B608C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B51B50	1_2_00007FF6D3B51B50
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B4A2DB	1_2_00007FF6D3B4A2DB
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B5DA5C	1_2_00007FF6D3B5DA5C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B489E0	1_2_00007FF6D3B489E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B539A4	1_2_00007FF6D3B539A4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B51944	1_2_00007FF6D3B51944
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B52164	1_2_00007FF6D3B52164
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B608C8	1_2_00007FF6D3B608C8
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B580E4	1_2_00007FF6D3B580E4
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B640AC	1_2_00007FF6D3B640AC
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B61874	1_2_00007FF6D3B61874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B49800	1_2_00007FF6D3B49800
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B58794	1_2_00007FF6D3B58794
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B51740	1_2_00007FF6D3B51740
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B51F60	1_2_00007FF6D3B51F60
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B69728	1_2_00007FF6D3B69728
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B5DEF0	1_2_00007FF6D3B5DEF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B65E7C	1_2_00007FF6D3B65E7C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B59EA0	1_2_00007FF6D3B59EA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B535A0	1_2_00007FF6D3B535A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B51D54	1_2_00007FF6D3B51D54
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B5E570	1_2_00007FF6D3B5E570
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7D23E0	1_2_00007FFDFA7D23E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7D1FB0	1_2_00007FFDFA7D1FB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7E4810	1_2_00007FFDFA7E4810
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7E45C0	1_2_00007FFDFA7E45C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F1FE0	1_2_00007FFDFA7F1FE0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F1D70	1_2_00007FFDFA7F1D70
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F2490	1_2_00007FFDFA7F2490
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F3520	1_2_00007FFDFA7F3520
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F29B0	1_2_00007FFDFA7F29B0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F2EB0	1_2_00007FFDFA7F2EB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA802120	1_2_00007FFDFA802120
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA801D30	1_2_00007FFDFA801D30
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA8121E0	1_2_00007FFDFA8121E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA811F00	1_2_00007FFDFA811F00
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA9918A0	1_2_00007FFDFA9918A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAFB710	1_2_00007FFDFAAFB710
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAABB300	1_2_00007FFDFAABB300
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAE2700	1_2_00007FFDFAAE2700
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAC58F0	1_2_00007FFDFAAC58F0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAF08F0	1_2_00007FFDFAAF08F0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAE2AE0	1_2_00007FFDFAAE2AE0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAADC8E0	1_2_00007FFDFAADC8E0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAC4750	1_2_00007FFDFAAC4750
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAF7D50	1_2_00007FFDFAAF7D50
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAABC940	1_2_00007FFDFAABC940
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAFC340	1_2_00007FFDFAAFC340
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAE6F40	1_2_00007FFDFAAE6F40
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAABDF20	1_2_00007FFDFAABDF20
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAE4690	1_2_00007FFDFAAE4690
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAADE090	1_2_00007FFDFAADE090
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAE1290	1_2_00007FFDFAAE1290
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAC7E70	1_2_00007FFDFAAC7E70
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAB2070	1_2_00007FFDFAAB2070
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAADB270	1_2_00007FFDFAADB270
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAB786B	1_2_00007FFDFAAB786B
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAFE860	1_2_00007FFDFAAFE860
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAF7660	1_2_00007FFDFAAF7660
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAB66C0	1_2_00007FFDFAAB66C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAE68C0	1_2_00007FFDFAAE68C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAFFEB0	1_2_00007FFDFAAFFEB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAF94B0	1_2_00007FFDFAAF94B0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAE0EB0	1_2_00007FFDFAAE0EB0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAF7AA0	1_2_00007FFDFAAF7AA0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAADA810	1_2_00007FFDFAADA810
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFAAFF400	1_2_00007FFDFAAFF400
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B425C00	12_2_00007FF71B425C00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B426964	12_2_00007FF71B426964
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4089E0	12_2_00007FF71B4089E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4208C8	12_2_00007FF71B4208C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B401000	12_2_00007FF71B401000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B40A474	12_2_00007FF71B40A474
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B426418	12_2_00007FF71B426418
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4208C8	12_2_00007FF71B4208C8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B40ACAD	12_2_00007FF71B40ACAD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B411B50	12_2_00007FF71B411B50
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B423C10	12_2_00007FF71B423C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B412C10	12_2_00007FF71B412C10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B41DA5C	12_2_00007FF71B41DA5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B40A2DB	12_2_00007FF71B40A2DB
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B412164	12_2_00007FF71B412164
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B411944	12_2_00007FF71B411944
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4139A4	12_2_00007FF71B4139A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B421874	12_2_00007FF71B421874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4180E4	12_2_00007FF71B4180E4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4240AC	12_2_00007FF71B4240AC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B411F60	12_2_00007FF71B411F60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B418794	12_2_00007FF71B418794
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B429728	12_2_00007FF71B429728
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B411740	12_2_00007FF71B411740
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B409800	12_2_00007FF71B409800
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B425E7C	12_2_00007FF71B425E7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B41DEF0	12_2_00007FF71B41DEF0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B419EA0	12_2_00007FF71B419EA0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B41E570	12_2_00007FF71B41E570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B415D30	12_2_00007FF71B415D30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B411D54	12_2_00007FF71B411D54
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4135A0	12_2_00007FF71B4135A0

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: String function: 00007FF71B402710 appears 52 times
Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FF6D3B42710 appears 104 times
Source: C:\Users\user\Desktop\Payload.exe	Code function: String function: 00007FF6D3B42910 appears 34 times

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: Payload.exe, 00000000.00000003.1835112277.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs Payload.exe
Source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1836616255.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1835438176.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Payload.exe
Source: Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1838264282.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1836848416.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1839101463.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000000.00000003.1835590847.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Payload.exe
Source: Payload.exe, 00000000.00000003.1838084483.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1839001201.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000000.00000003.1839189648.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Payload.exe
Source: Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Payload.exe
Source: Payload.exe	Binary or memory string: OriginalFilename vs Payload.exe
Source: Payload.exe, 00000001.00000002.3706081701.00007FFDFB133000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Payload.exe
Source: Payload.exe, 00000001.00000002.3700453114.00007FFDFA980000.00000002.00000001.01000000.0000001F.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Payload.exe
Source: Payload.exe, 00000001.00000002.3703528374.00007FFDFAC40000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Payload.exe
Source: Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Payload.exe
Source: Payload.exe, 00000001.00000002.3684672980.000001BB2F560000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Payload.exe
Source: Payload.exe, 00000001.00000002.3701717290.00007FFDFAAA5000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061151360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2051466429.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2078160853.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom311.dll0 vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2063186076.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2063982918.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061657930.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2062418693.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2057470577.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061929014.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059377948.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060554410.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059798725.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059688565.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060887502.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2049930758.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2053951617.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059483913.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059042237.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061013716.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2057815992.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2055776896.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2062904631.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2078830560.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2062219654.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2062776082.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061528722.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2063596360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2054593515.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2063014790.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060066285.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2051729554.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061274932.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2062626198.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2075762488.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060408560.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2063732239.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2050945765.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2072972050.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059151077.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2078470286.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes311.dll0 vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2063412060.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061758960.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059956272.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2061400403.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2062120635.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2049682826.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060666720.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2048637747.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060294282.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2062028496.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060778643.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2057067655.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2063858476.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059270943.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2060181236.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2053217280.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Payload.exe
Source: Payload.exe, 0000000C.00000003.2059571201.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs Payload.exe
Source: Payload.exe	Binary or memory string: OriginalFilename vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3722192742.00007FFDFFB24000.00000002.00000001.01000000.00000061.sdmp	Binary or memory string: OriginalFilenamepythoncom311.dll0 vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3717632415.00007FFDFA41A000.00000002.00000001.01000000.0000006D.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3721349938.00007FFDFFA3E000.00000002.00000001.01000000.00000066.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3712125829.00007FFDF9503000.00000002.00000001.01000000.00000065.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3724870467.00007FFE1A52B000.00000002.00000001.01000000.00000057.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3725074737.00007FFE1A547000.00000002.00000001.01000000.00000055.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3720210641.00007FFDFA77E000.00000002.00000001.01000000.00000069.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3723098262.00007FFDFFBD5000.00000002.00000001.01000000.0000005A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3720981947.00007FFDFA7C9000.00000002.00000001.01000000.00000063.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3722823991.00007FFDFFB9E000.00000002.00000001.01000000.0000005D.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3710653957.00007FFDF9010000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs Payload.exe
Source: Payload.exe, 0000000D.00000002.3724338055.00007FFE1A4F6000.00000002.00000001.01000000.0000005C.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Payload.exe

Source: classification engine

Classification label: mal96.troj.adwa.spyw.evad.winEXE@28/399@1/1

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI64162

Jump to behavior

Source: Payload.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Payload.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT action_url, username_value, password_value FROM logins;
Source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT host_key, path, is_secure, expires_utc, name, value, encrypted_value, is_httponly FROM cookies WHERE host_key like ?;
Source: Payload.exe, 00000001.00000002.3691223035.000001BB33390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT host_key, path, secure, expires_utc, name, value, encrypted_value, is_httponly FROM cookies WHERE host_key like ?;
Source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Payload.exe, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Payload.exe

ReversingLabs: Detection: 58%

Source: Payload.exe

String found in binary or memory: can't send non-None value to a just-started generator

Source: C:\Users\user\Desktop\Payload.exe

File read: C:\Users\user\Desktop\Payload.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Users\user\Desktop\Payload.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Payload.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Payload.exe

Static file information: File size 26241148 > 1048576

Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payload.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payload.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Payload.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063412060.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdbc source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: Payload.exe, 0000000C.00000003.2059571201.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: Payload.exe, 00000000.00000003.1839189648.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059270943.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061657930.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062418693.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060408560.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\engine\tb_digest.cENGINE_get_digestcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062626198.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059956272.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Payload.exe, 00000000.00000003.1835590847.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049930758.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062219654.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062418693.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060778643.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: Payload.exe, 00000000.00000003.1839001201.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059042237.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063858476.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061758960.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060666720.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2053217280.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061013716.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059483913.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062219654.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063858476.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: Payload.exe, 0000000D.00000002.3722558012.00007FFDFFB50000.00000002.00000001.01000000.0000005F.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059798725.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061657930.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: Payload.exe, 0000000C.00000003.2061528722.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060666720.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: Payload.exe, 0000000D.00000002.3721942877.00007FFDFFADC000.00000002.00000001.01000000.00000061.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Payload.exe, 00000000.00000003.1837740018.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2054593515.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3720321686.00007FFDFA796000.00000002.00000001.01000000.00000067.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063014790.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Payload.exe, 00000000.00000003.1835438176.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049682826.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: Payload.exe, 0000000C.00000003.2060294282.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061274932.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063732239.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: Payload.exe, 0000000C.00000003.2060887502.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: Payload.exe, 00000000.00000003.1839189648.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059270943.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060181236.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060294282.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060554410.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Payload.exe, 0000000C.00000003.2078830560.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3724256302.00007FFE1A4F3000.00000002.00000001.01000000.0000005C.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063014790.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061151360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: Payload.exe, 00000000.00000003.1839001201.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059042237.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063186076.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Payload.exe, 00000000.00000003.1838407896.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2057815992.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3701223012.00007FFDF8512000.00000002.00000001.01000000.0000008C.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063982918.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060066285.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061400403.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: Payload.exe, 0000000D.00000002.3722558012.00007FFDFFB50000.00000002.00000001.01000000.0000005F.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061151360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: Payload.exe, 00000001.00000002.3703248378.00007FFDFAC05000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062626198.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063732239.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062776082.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060408560.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: Payload.exe, 00000001.00000002.3705639389.00007FFDFAFF2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063596360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Payload.exe, 00000000.00000003.1835438176.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049682826.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Payload.exe, 00000000.00000003.1837657079.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2053951617.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061929014.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059956272.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061400403.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062904631.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059798725.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Payload.exe, 00000000.00000003.1837073321.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2052313066.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3720136912.00007FFDFA777000.00000002.00000001.01000000.00000069.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059377948.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060778643.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Payload.exe, 00000000.00000003.1835719318.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050151967.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2059483913.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061528722.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063186076.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062120635.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061929014.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: Payload.exe, 00000000.00000003.1839101463.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059151077.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Payload.exe, 00000000.00000003.1836235257.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2050945765.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3724039172.00007FFE11BED000.00000002.00000001.01000000.00000059.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059377948.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Payload.exe, 00000000.00000003.1837953219.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2056304174.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptography_rust.pdb source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Payload.exe, 00000000.00000003.1835590847.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2049930758.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063596360.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062120635.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Payload.exe, 00000001.00000002.3700629261.00007FFDFAAA0000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: Payload.exe, 00000001.00000002.3705639389.00007FFDFAFF2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: crypto\bn\bn_ctx.cBN_CTX_startBN_CTX_getossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcrypto\evp\digest.cevp_md_ctx_new_exevp_md_ctx_free_algctxevp_md_init_internalEVP_DigestUpdatesizeEVP_DigestFinal_exassertion failed: mdsize <= EVP_MAX_MD_SIZEEVP_DigestFinalXOFxoflenEVP_MD_CTX_copy_exEVP_MD_CTX_ctrlmicalgssl3-msblocksizexofalgid-absentevp_md_from_algorithmupdatecrypto\evp\m_sigver.cUNDEFdo_sigver_initEVP_DigestSignUpdateEVP_DigestVerifyUpdateEVP_DigestSignFinalEVP_DigestSignEVP_DigestVerifyFinalEVP_DigestVerifycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Fri Oct 18 00:15:00 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2061013716.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2059571201.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: Payload.exe, 00000000.00000003.1839101463.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2059151077.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062028496.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Payload.exe, 00000001.00000002.3700294834.00007FFDFA94E000.00000002.00000001.01000000.0000001F.sdmp, Payload.exe, 0000000D.00000002.3710533543.00007FFDF8FDE000.00000002.00000001.01000000.0000006E.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2062904631.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060066285.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062776082.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2063982918.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061758960.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2061274932.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: Payload.exe, 00000001.00000002.3703248378.00007FFDFAC05000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: Payload.exe, 0000000C.00000003.2059688565.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Payload.exe, 00000000.00000003.1837516867.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2053217280.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: Payload.exe, 0000000C.00000003.2060181236.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Payload.exe, 00000000.00000003.1837856554.00000178B86C3000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2055776896.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2060554410.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2063412060.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: Payload.exe, 0000000C.00000003.2060887502.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: Payload.exe, 0000000D.00000002.3721942877.00007FFDFFADC000.00000002.00000001.01000000.00000061.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Payload.exe, 00000001.00000002.3684672980.000001BB2F560000.00000002.00000001.01000000.00000007.sdmp, Payload.exe, 0000000C.00000003.2075989694.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: Payload.exe, 0000000C.00000003.2062028496.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp

Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payload.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: api-ms-win-core-console-l1-1-0.dll.0.dr

Static PE information: 0x975A648E [Sun Jun 19 20:33:18 2050 UTC]

Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68002\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

Code function: 0_2_00007FF6D3B45830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF6D3B45830

Source: C:\Users\user\Desktop\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXE
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMUSRVC.EXE
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXEIL-L1-1-0.DLL
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: XENSERVICE.EXE
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_websocket.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_helpers.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_http_parser.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\multidict\_multidict.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\yarl\_quoting_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_brotli.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp\_http_writer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\python311.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4\block\_block.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\propcache\_helpers_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\frozenlist\_frozenlist.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4\_version.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68002\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Payload.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\Payload.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-17224
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_12-18113

Source: C:\Users\user\Desktop\Payload.exe

API coverage: 4.2 %

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B49280 FindFirstFileExW,FindClose,	0_2_00007FF6D3B49280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6D3B483C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6D3B61874
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B49280 FindFirstFileExW,FindClose,	1_2_00007FF6D3B49280
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B483C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6D3B483C0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B61874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6D3B61874
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B409280 FindFirstFileExW,FindClose,	12_2_00007FF71B409280
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B4083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	12_2_00007FF71B4083C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B421874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00007FF71B421874

Source: C:\Users\user\Desktop\Payload.exe

Code function: 1_2_00007FFDFA830180 GetSystemInfo,

1_2_00007FFDFA830180

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Payload.exe, 0000000C.00000003.2065864267.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System32\vmGuestLib.dll
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareTray.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System32\vmGuestLib.dll-info
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxmrxnp.dll
Source: Payload.exe, 0000000D.00000002.3686049757.000002A26D6BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware_dll
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc.exe
Source: Payload.exe, 00000001.00000003.1874334145.000001BB3156B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1871919658.000001BB31585000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3155D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875629440.000001BB31564000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873153314.000001BB31582000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllwwx
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice.exe

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

Code function: 0_2_00007FF6D3B4D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6D3B4D12C

Source: C:\Users\user\Desktop\Payload.exe

Code function: 0_2_00007FF6D3B63480 GetProcessHeap,

0_2_00007FF6D3B63480

Source: C:\Users\user\Desktop\Payload.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B4D30C SetUnhandledExceptionFilter,	0_2_00007FF6D3B4D30C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B4D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D3B4D12C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B4C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6D3B4C8A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 0_2_00007FF6D3B5A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D3B5A614
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B4D30C SetUnhandledExceptionFilter,	1_2_00007FF6D3B4D30C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B4D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6D3B4D12C
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B4C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF6D3B4C8A0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FF6D3B5A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6D3B5A614
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7D1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFA7D1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7D1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA7D1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7E1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFA7E1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7E1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA7E1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F1960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFA7F1960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA7F1390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA7F1390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA801960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFA801960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA801390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA801390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA811960 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFA811960
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA811390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA811390
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA94CAF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA94CAF0
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA992A90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFA992A90
Source: C:\Users\user\Desktop\Payload.exe	Code function: 1_2_00007FFDFA993058 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFA993058
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B40D30C SetUnhandledExceptionFilter,	12_2_00007FF71B40D30C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B40D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF71B40D12C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B40C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF71B40C8A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Code function: 12_2_00007FF71B41A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF71B41A614

Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\Payload.exe

Code function: 0_2_00007FF6D3B69570 cpuid

0_2_00007FF6D3B69570

Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography-43.0.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\cryptography-43.0.3.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4-4.3.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4-4.3.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4-4.3.3.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\lz4 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-file-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\api-ms-win-core-util-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\yarl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32\pywintypes311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64162\_asyncio.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	Queries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68002\Crypto VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payload.exe

Code function: 0_2_00007FF6D3B4D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D3B4D010

Source: C:\Users\user\Desktop\Payload.exe

Code function: 0_2_00007FF6D3B65C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6D3B65C00

Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe

Stealing of Sensitive Information

Yara detected BLX Stealer

Source: Yara match	File source: 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 6612, type: MEMORYSTR

Yara detected XLABB Grabber

Source: Yara match	File source: 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 6612, type: MEMORYSTR

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\Payload.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\Desktop\Payload.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: Payload.exe PID: 6612, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: Payload.exe PID: 6612, type: MEMORYSTR

Remote Access Functionality

Yara detected BLX Stealer

Source: Yara match	File source: 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 6612, type: MEMORYSTR

Yara detected XLABB Grabber

Source: Yara match	File source: 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payload.exe PID: 6612, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: Payload.exe PID: 6612, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	12 Virtualization/Sandbox Evasion	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payload.exe	58%	ReversingLabs	Win64.Trojan.PyngoStealerMarte
Payload.exe	100%	Avira	OSX/GM.ReverseShe.TH

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_curve25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_curve448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64162\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://repository.swisssign.com/7	0%	Avira URL Cloud	safe
https://lz4.github.io/lz4/	0%	Avira URL Cloud	safe
https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing	0%	Avira URL Cloud	safe
https://superfurrycdn.nl/copy/	0%	Avira URL Cloud	safe
https://requests.readthedocs.ioPpJo	0%	Avira URL Cloud	safe
http://python-lz4.readthedocs.io/en/stable/	0%	Avira URL Cloud	safe
https://bugs.py	0%	Avira URL Cloud	safe
https://api.myip.comot-info	0%	Avira URL Cloud	safe
https://127.0.0.1:8443	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://discord.com/channels/	Payload.exe, 0000000D.00000002.3694048579.000002A271310000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues/8996	Payload.exe, 00000001.00000002.3698030689.00007FFDFA08A000.00000002.00000001.01000000.00000035.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/251	Payload.exe, 00000001.00000002.3688335194.000001BB3268F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://coinbase.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://i.scdn.co/image/	Payload.exe, 00000001.00000002.3694241619.000001BB35250000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3694048579.000002A271310000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/developers/applications/	Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/aio-libs/aiohttp/discussions/6044	Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3693641952.000001BB34A80000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692167056.000001BB33B1A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tiktok.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/library/unittest.html	Payload.exe, 00000001.00000002.3686554442.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2115108381.000002A26E74A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688294290.000002A26E721000.00000004.00000020.00020000.00000000.sdmp	false		high
http://python.org	Payload.exe, 00000001.00000002.3691864276.000001BB339B2000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Payload.exe, 00000001.00000002.3685675984.000001BB31330000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3684768211.000001BB2F5F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2091404363.000002A26B69D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2090283179.000002A26B6A0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3684401189.000002A26B639000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/attachments/1207404349177724988/1247483882857828352/Picsart_24-06-04_12-3	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/sponsors/hynek	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v	Payload.exe, 00000001.00000002.3694099874.000001BB35150000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/7	Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://goo.gl/zeJZl.	Payload.exe, 00000001.00000002.3691582161.000001BB336D0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	Payload.exe, 0000000C.00000003.2068444697.000001F0B2906000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2068171030.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2068171030.000001F0B2905000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Payload.exe, 00000001.00000002.3685967283.000001BB31550000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php	Payload.exe, 0000000D.00000002.3691635284.000002A26FA72000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FDC1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1877625811.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688156970.000001BB32490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1878743429.000001BB31B45000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2111006559.000002A26DC36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging62d2	Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://xbox.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	Payload.exe, 00000001.00000002.3690747143.000001BB33090000.00000004.00001000.00020000.00000000.sdmp	false		high
https://youtube.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/136	Payload.exe, 00000001.00000002.3689859176.000001BB32C71000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692686032.000001BB33DF1000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	Payload.exe, 00000001.00000002.3691098089.000001BB33290000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	Payload.exe, 00000001.00000002.3690747143.000001BB33090000.00000004.00001000.00020000.00000000.sdmp	false		high
https://packages.debian.org/sid/iputils-arping	Payload.exe, 00000001.00000002.3691466187.000001BB33590000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3691343035.000001BB33490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691152828.000002A26F540000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691276421.000002A26F650000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/oauth2/authorize?client_id=	Payload.exe, 00000001.00000002.3693947132.000001BB35040000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.myip.comot-info	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://superfurrycdn.nl/copy/	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	Payload.exe, 00000001.00000002.3685123722.000001BB30EE0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3685355738.000002A26D070000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crunchyroll.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1330)	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lz4.github.io/lz4/	Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3	Payload.exe, 00000001.00000002.3689993388.000001BB32D40000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2	Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689993388.000001BB32D40000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Payload.exe, 00000001.00000002.3685675984.000001BB31330000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3684768211.000001BB2F5F8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2091404363.000002A26B69D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2090283179.000002A26B6A0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3684401189.000002A26B639000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	Payload.exe, 00000001.00000003.1871919658.000001BB3168E000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1872546038.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1877194604.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870123075.000001BB316E4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685967283.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873901840.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1875629440.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1888805316.000001BB3168D000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870422272.000001BB31696000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870785804.000001BB31696000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1870383769.000001BB316E4000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2093949784.000002A26D85F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	Payload.exe, 00000001.00000002.3691466187.000001BB33590000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691276421.000002A26F650000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ebay.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	Payload.exe, 0000000D.00000002.3686049757.000002A26D708000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	Payload.exe, 0000000C.00000003.2068171030.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	Payload.exe, 00000001.00000003.1875114007.000001BB31A81000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A2A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A7D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685553670.000001BB31130000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	Payload.exe, 00000001.00000002.3685123722.000001BB30EE0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3685355738.000002A26D070000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://filepreviews.io/	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/why.html#data-classes)	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064985903.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000C.00000003.2064880770.000001F0B2904000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/	Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3694556521.000001BB35450000.00000004.00001000.00020000.00000000.sdmp	false		high
https://playstation.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB326A8000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sellix.io)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brew.sh	Payload.exe, 00000001.00000002.3689547389.000001BB32C46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging02d2	Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	Payload.exe, 00000001.00000002.3686447175.000001BB31870000.00000004.00001000.00020000.00000000.sdmp	false		high
http://python-lz4.readthedocs.io/en/stable/	Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wiki.debian.org/XDGBaseDirectorySpecification#state	Payload.exe, 00000001.00000002.3685675984.000001BB31346000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	Payload.exe, 00000001.00000002.3691098089.000001BB33290000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3690859188.000002A26F340000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/changelog.html	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing	Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3692342025.000001BB33BF0000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692682642.000002A26FDC1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.variomedia.de/	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://requests.readthedocs.ioPpJo	Payload.exe, 0000000D.00000002.3691029912.000002A26F440000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688335194.000001BB325D2000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3688190500.000002A26E640000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	Payload.exe, 00000001.00000002.3688156970.000001BB32490000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687451811.000001BB31E90000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2103785691.000002A26DBDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es00	Payload.exe, 00000001.00000002.3686554442.000001BB31990000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	Payload.exe, 00000001.00000003.1875114007.000001BB31A81000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A2A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1873705923.000001BB31A7D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	Payload.exe, 00000001.00000002.3689170720.000001BB32A9B000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3692136441.000002A26FC14000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3686590415.000002A26DAB0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/python-lz4/	Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3691391157.000002A26F790000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3706057755.00007FFDF8BAA000.00000002.00000001.01000000.00000084.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/lz4/lz4/blob/master/doc/lz4_Frame_format.md	Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://html4/loose.dtd	Payload.exe, 00000001.00000002.3702072980.00007FFDFAB05000.00000002.00000001.01000000.00000019.sdmp	false		high
https://mahler:8092/site-updates.py	Payload.exe, 00000001.00000002.3686554442.000001BB31D0D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugs.py	Payload.exe, 00000001.00000002.3692167056.000001BB33B1A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cryptography.io/	Payload.exe, 0000000C.00000003.2066762312.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).	Payload.exe, 0000000C.00000003.2064880770.000001F0B28F7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://127.0.0.1:8443	Payload.exe, 00000001.00000002.3688825472.000001BB327A7000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3689993388.000001BB32D40000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3689661268.000002A26ED6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	Payload.exe, 00000001.00000002.3688335194.000001BB3268F000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688947634.000001BB329D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://opensource.org/licenses/BSD-3-Clause	Payload.exe, 0000000C.00000003.2073629272.000001F0B28F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html#re.sub	Payload.exe, 00000001.00000003.1876464206.000001BB31BDE000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1882931783.000001BB31D4A000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3688041311.000001BB32390000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3687575023.000001BB31FA0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1876464206.000001BB31B76000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1882892267.000001BB32591000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687500255.000002A26E0B0000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000002.3687966279.000002A26E440000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	Payload.exe, 00000001.00000003.1861583912.000001BB31339000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000003.1861700439.000001BB31331000.00000004.00000020.00020000.00000000.sdmp, Payload.exe, 00000001.00000002.3685553670.000001BB31130000.00000004.00001000.00020000.00000000.sdmp, Payload.exe, 0000000D.00000003.2087816823.000002A26D4BA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://netflix.com)	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	Payload.exe, 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555217
Start date and time:	2024-11-13 15:57:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payload.exe
Detection:	MAL
Classification:	mal96.troj.adwa.spyw.evad.winEXE@28/399@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: Payload.exe

Simulations

Behavior and APIs

Time	Type	Description
14:59:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.74.152	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	https://www.canva.com/design/DAGOCNo1NUI/fm7sxEzJIeZ3v2miLpNZCw/view?utm_content=DAGOCNo1NUI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.12.205
	setup7.0.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	DHL Delivery Invoice.com.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	fefbBqMKcU.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	yh5At5T1Zs.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	scan3762399_arleen@wcctxlaw.com.pdf	Get hash	malicious	Unknown	Browse	172.67.74.152
	x.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.13.205
	neworigin.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	TC_Ziraat_Bankasi_Hesap_Ekstresi.cmd	Get hash	malicious	AgentTesla, DBatLoader	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	aba5298f.msi	Get hash	malicious	Unknown	Browse	104.18.86.42
	FW Cardenas Leslie shared Mathis IDS Remittance Copy with you.msg	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://www.dropbox.com.mcas-gov.ms/l/scl/AABSwu8KEz6sAXF6EDmPFvs56lPgSRwoxio?McasTsid=20893&McasCSRF=81f1afd142a81521476c396db0d440dc1f2327c03c65f90a0848092f4db6f69d	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.calameo.com/read/007794614fc42ee64ee87	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTczMTQ4OTAwMjtzOjI6ImlkIjtpOjEzODk4O3M6NDoiZmlsZSI7czo0MzoicGRmY3JlYXRvci0xLTYtMi1QREZDcmVhdG9yLTFfNl8yX3NldHVwLmV4ZSI7czozOiJ1cmwiO3M6NTA6Imh0dHA6Ly93d3cub2xkdmVyc2lvbi5jb20vd2luZG93cy9wZGZjcmVhdG9yLTEtNi0yIjtzOjQ6InBhc3MiO3M6MzI6IjMwYzExNzY3MTEwNWY3MjhjYjA0YzU2ZjkzYTc1YTRjIjt9	Get hash	malicious	Unknown	Browse	104.16.141.209
	https://wetransfer.com/downloads/dfae2da4024c0a427ba385707deb5ffa20240620022822/9659fc	Get hash	malicious	Unknown	Browse	104.26.1.90
	https://www.canva.com/design/DAGOCNo1NUI/fm7sxEzJIeZ3v2miLpNZCw/view?utm_content=DAGOCNo1NUI&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.16.103.112
	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.0.123

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_Salsa20.pyd	Creal.exe	Get hash	malicious	Creal Stealer	Browse
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Trojan.PWS.Stealer.39881.9434.15338.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_ARC4.pyd	Creal.exe	Get hash	malicious	Creal Stealer	Browse
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
	https://t.ly/Oppenheim0511	Get hash	malicious	GO Backdoor	Browse
	RobCheat.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe	Get hash	malicious	Python Stealer, Braodo	Browse
	grA6aqodO5.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	oconsole.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\Desktop\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Creal.exe, Detection: malicious, Browse Filename: #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RobCheat.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Malware-gen.32485.11504.exe, Detection: malicious, Browse Filename: grA6aqodO5.exe, Detection: malicious, Browse Filename: oconsole.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.640339306680604
Encrypted:	false
SSDEEP:	192:dLklddyTHThob0q/tJRrlDfNYSOcqgYCWt:ZgcdZq/JJD6gRWt
MD5:	BCD8CAAF9342AB891BB1D8DD45EF0098
SHA1:	EE7760BA0FF2548F25D764F000EFBB1332BE6D3E
SHA-256:	78725D2F55B7400A3FCAFECD35AF7AEB253FBC0FFCDF1903016EB0AABD1B4E50
SHA-512:	8B6FB53AECB514769985EBFDAB1B3C739024597D9C35905E04971D5422256546F7F169BF98F9BAF7D9F42A61CFF3EE7A20664989D3000773BF5EDA10CB3A0C24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r^J.6?$.6?$.6?$.?G..2?$.dJ%.4?$.}G%.5?$.6?%..?$.dJ!.<?$.dJ .>?$.dJ'.5?$..J,.7?$..J$.7?$..J..7?$..J&.7?$.Rich6?$.........................PE..d...Y..f.........." ................P........................................p............`..........................................'......0(..d....P.......@...............`..(....!...............................!..8............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...H....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.997562044271756
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payload.exe
File size:	26'241'148 bytes
MD5:	a0044986eec99f4b05358f1457be6ee8
SHA1:	bed5076d966b94c942487fd04e7074e861235ba2
SHA256:	24c7c6cc3124b20c717ac485e263193e351f0ab2e672b353b38688ba218bda9a
SHA512:	3ddb80bb5957cf514180692550fc5e3a916cb75d0cb99433924399f8185c0466eaf5deb6c77cb92daee3e9eec251a4479dfdf7968bd55bb47645a24d596860c3
SSDEEP:	786432:i9YiJVl8ZMj3hr8AW+e5RP96R+c+U4VdF5Kd:i98a3hr8AW+eHPgR6U4VdXKd
TLSH:	9047339952E90CD2ECF5413AC22AC109BB32FE656BD0D54F9BF988471FA72D01D39E81
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6731F8C8 [Mon Nov 11 12:30:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	2a7ae207b6295492e9da088072661752	False	0.5514439174107143	data	6.487454925709845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	e341dab10b74e3767c73397449a4fdad	False	0.5244661458333333	data	5.752660729211676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	f5559f14427a02f0a5dbd0dd026cae54	False	0.470703125	data	5.291665041994019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf41c	0xf600	455788c285fcfdcb4008bc77e762818a	False	0.803099593495935	data	7.5549760623589695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x480b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x48958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x523ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x54994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x55a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x55ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x55f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 15:59:10.611741066 CET	49731	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:10.611788988 CET	443	49731	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:10.611862898 CET	49731	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:10.612731934 CET	49731	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:10.612754107 CET	443	49731	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:11.263238907 CET	443	49731	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:11.267180920 CET	49731	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:11.267198086 CET	443	49731	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:11.269326925 CET	443	49731	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:11.269428015 CET	49731	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:11.270807981 CET	49731	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:11.270977974 CET	49731	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:32.244208097 CET	49739	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:32.244271040 CET	443	49739	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:32.244355917 CET	49739	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:32.245094061 CET	49739	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:32.245106936 CET	443	49739	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:32.908715010 CET	443	49739	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:32.909660101 CET	49739	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:32.909701109 CET	443	49739	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:32.913325071 CET	443	49739	172.67.74.152	192.168.2.4
Nov 13, 2024 15:59:32.913410902 CET	49739	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:32.915364981 CET	49739	443	192.168.2.4	172.67.74.152
Nov 13, 2024 15:59:32.915577888 CET	49739	443	192.168.2.4	172.67.74.152

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 15:59:10.585973024 CET	56882	53	192.168.2.4	1.1.1.1
Nov 13, 2024 15:59:10.593544960 CET	53	56882	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	09:58:56
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payload.exe"
Imagebase:	0x7ff6d3b40000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	1
Start time:	09:59:00
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payload.exe"
Imagebase:	0x7ff6d3b40000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XLABBGrabber, Description: Yara detected XLABB Grabber, Source: 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BLXStealer, Description: Yara detected BLX Stealer, Source: 00000001.00000002.3690970778.000001BB33190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	09:59:03
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff69a620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	09:59:07
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff69a620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	09:59:18
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Imagebase:	0x7ff71b400000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	13
Start time:	09:59:23
Start date:	13/11/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
Imagebase:	0x7ff71b400000
File size:	26'241'148 bytes
MD5 hash:	A0044986EEC99F4B05358F1457BE6EE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XLABBGrabber, Description: Yara detected XLABB Grabber, Source: 0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BLXStealer, Description: Yara detected BLX Stealer, Source: 0000000D.00000002.3690395576.000002A26F240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Target ID:	14
Start time:	09:59:26
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff69a620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	16
Start time:	09:59:29
Start date:	13/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff69a620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	28

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payload.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_eksblowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI64162\Crypto\Cipher\_raw_ocb.pyd

Windows Analysis Report
Payload.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre