Edit tour

Windows Analysis Report
NEVER OPEN!.exe

Overview

General Information

Sample name:	NEVER OPEN!.exe
Analysis ID:	1556387
MD5:	61b5a3066bcf661f69b9e362ef1a1f8c
SHA1:	bc6701f2a76cb5db3ea27371240b7e295382d29c
SHA256:	2949df50691624e3a64635fbf690527e245d5c83dd3bd8f000f34447a6386ba2
Tags:	Empyreanexeuser-likeastar20
Infos:

Detection

Python Stealer, Empyrean, Discord Token Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected Empyrean Stealer

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Discord Token Stealer

Yara detected Empyrean

AI detected suspicious sample

Machine Learning detection for sample

Potentially malicious time measurement code found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Tries to harvest and steal browser information (history, passwords, etc)

Uses cmd line tools excessively to alter registry or file data

Writes many files with high entropy

Yara detected Generic Python Stealer

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

NEVER OPEN!.exe (PID: 7000 cmdline: "C:\Users\user\Desktop\NEVER OPEN!.exe" MD5: 61B5A3066BCF661F69B9E362EF1A1F8C)

NEVER OPEN!.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\NEVER OPEN!.exe" MD5: 61B5A3066BCF661F69B9E362EF1A1F8C)

cmd.exe (PID: 6244 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 600 cmdline: C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3272 cmdline: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 3716 cmdline: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6164 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6980 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4948 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6388 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2588 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 2256 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1620 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 932 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\empyrean\run.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dat.txt (PID: 4544 cmdline: C:\Users\user\AppData\Roaming\empyrean\dat.txt MD5: 61B5A3066BCF661F69B9E362EF1A1F8C)

dat.txt (PID: 5768 cmdline: C:\Users\user\AppData\Roaming\empyrean\dat.txt MD5: 61B5A3066BCF661F69B9E362EF1A1F8C)

cmd.exe (PID: 5264 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5348 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5432 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 6324 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2828 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 2800 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5312 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 1620 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\empyrean\run.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dat.txt (PID: 280 cmdline: C:\Users\user\AppData\Roaming\empyrean\dat.txt MD5: 61B5A3066BCF661F69B9E362EF1A1F8C)

dat.txt (PID: 5004 cmdline: C:\Users\user\AppData\Roaming\empyrean\dat.txt MD5: 61B5A3066BCF661F69B9E362EF1A1F8C)

cmd.exe (PID: 5592 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4336 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6404 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 3744 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1376 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 2364 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5592 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
NEVER OPEN!.exe	JoeSecurity_DiscordTokenStealer_1	Yara detected Discord Token Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\empyrean\dat.txt	JoeSecurity_DiscordTokenStealer_1	Yara detected Discord Token Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000020.00000002.2233150692.000001A88A4E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Empyrean	Yara detected Empyrean	Joe Security
0000001A.00000002.2151057596.0000013317E10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Empyrean	Yara detected Empyrean	Joe Security
Process Memory Space: NEVER OPEN!.exe PID: 7164	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: NEVER OPEN!.exe PID: 7164	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
Process Memory Space: NEVER OPEN!.exe PID: 7164	JoeSecurity_Empyrean	Yara detected Empyrean	Joe Security

Sigma Signatures

System Summary

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 5432, StartAddress: 213032B0, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 5432

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\empyrean\run.bat, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 6164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f, CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3716, ParentProcessName: cmd.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f, ProcessId: 6164, ProcessName: reg.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\empyrean\dat.txt, CommandLine: C:\Users\user\AppData\Roaming\empyrean\dat.txt, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\empyrean\dat.txt, NewProcessName: C:\Users\user\AppData\Roaming\empyrean\dat.txt, OriginalFileName: C:\Users\user\AppData\Roaming\empyrean\dat.txt, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\empyrean\run.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 932, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Roaming\empyrean\dat.txt, ProcessId: 4544, ProcessName: dat.txt

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f", CommandLine: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\NEVER OPEN!.exe", ParentImage: C:\Users\user\Desktop\NEVER OPEN!.exe, ParentProcessId: 7164, ParentProcessName: NEVER OPEN!.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f", ProcessId: 3716, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: NEVER OPEN!.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\_MEI2802\win32ui.pyd

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Source: NEVER OPEN!.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: NEVER OPEN!.exe

Joe Sandbox ML: detected

Source: NEVER OPEN!.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\A\40\b\bin\amd64\_decimal.pdb$$ source: NEVER OPEN!.exe, 00000001.00000002.1906311543.00007FFE01371000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: NEVER OPEN!.exe, dat.txt
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: NEVER OPEN!.exe, dat.txt
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: NEVER OPEN!.exe, 00000001.00000002.1903355658.00007FFE007E6000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_decimal.pdb source: NEVER OPEN!.exe, 00000001.00000002.1906311543.00007FFE01371000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: NEVER OPEN!.exe, 00000001.00000002.1920987146.00007FFE126C1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb source: NEVER OPEN!.exe, 00000001.00000002.1899389721.00007FFE001C1000.00000040.00000001.01000000.0000003B.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: NEVER OPEN!.exe, 00000001.00000002.1897592652.00007FFDFB30E000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1878698743.000001F093850000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: NEVER OPEN!.exe, 00000000.00000003.1717619222.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1924121684.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: NEVER OPEN!.exe, 00000001.00000002.1916135326.00007FFE10241000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: NEVER OPEN!.exe, 00000000.00000003.1717619222.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1924121684.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: NEVER OPEN!.exe, 00000001.00000002.1922538367.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: NEVER OPEN!.exe, 00000001.00000002.1907220479.00007FFE014C1000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: NEVER OPEN!.exe, 00000001.00000002.1898577877.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: NEVER OPEN!.exe, 00000001.00000002.1904550109.00007FFE012D1000.00000040.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: NEVER OPEN!.exe, 00000001.00000002.1909665891.00007FFE0CFC1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: NEVER OPEN!.exe, 00000000.00000003.1717788454.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1921820675.00007FFE12E15000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: NEVER OPEN!.exe, 00000001.00000002.1915163773.00007FFE0EB5C000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: NEVER OPEN!.exe, 00000001.00000002.1904263516.00007FFE01211000.00000040.00000001.01000000.00000031.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: NEVER OPEN!.exe, 00000001.00000002.1915163773.00007FFE0EB5C000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: NEVER OPEN!.exe, 00000001.00000002.1909239152.00007FFE0CF91000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: NEVER OPEN!.exe, 00000001.00000002.1923089438.00007FFE13201000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: NEVER OPEN!.exe, 00000001.00000002.1896873012.00007FFDFB0AC000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: NEVER OPEN!.exe, 00000001.00000002.1903355658.00007FFE007E6000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: NEVER OPEN!.exe, 00000001.00000002.1909239152.00007FFE0CF91000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: NEVER OPEN!.exe, 00000001.00000002.1908679287.00007FFE0C0A1000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: NEVER OPEN!.exe, 00000001.00000002.1915478870.00007FFE101D1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: NEVER OPEN!.exe, 00000001.00000002.1909665891.00007FFE0CFC1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: NEVER OPEN!.exe, 00000001.00000002.1916398193.00007FFE10301000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: NEVER OPEN!.exe, 00000001.00000002.1897592652.00007FFDFB30E000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: NEVER OPEN!.exe, 00000000.00000003.1717788454.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1921820675.00007FFE12E15000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: NEVER OPEN!.exe, dat.txt
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: NEVER OPEN!.exe, 00000001.00000002.1911150737.00007FFE0E151000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb!! source: NEVER OPEN!.exe, 00000001.00000002.1899389721.00007FFE001C1000.00000040.00000001.01000000.0000003B.sdmp

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BC7780 FindFirstFileExW,FindClose,	0_2_00007FF619BC7780
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE0CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF619BE0CE4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE0CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF619BE0CE4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BC7780 FindFirstFileExW,FindClose,	1_2_00007FF619BC7780
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C3229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	1_2_00007FFDFB0C3229
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	25_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A77780 FindFirstFileExW,FindClose,	25_2_00007FF670A77780
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A90CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_00007FF670A90CE4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	25_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A90CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	26_2_00007FF670A90CE4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	26_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	26_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A77780 FindFirstFileExW,FindClose,	26_2_00007FF670A77780
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	26_2_00007FFDFB233229

Source: Joe Sandbox View	IP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 104.26.9.44 104.26.9.44

Source: unknown

DNS query: name: ipapi.co

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ipapi.co
Source: global traffic	DNS traffic detected: DNS query: discord.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.cloudflare.com

Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889208036.000001F096645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865767129.000001F096645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NEVER OPEN!.exe, 00000001.00000002.1889788062.000001F096AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://chardet.feedparser.org/
Source: NEVER OPEN!.exe, 00000001.00000002.1889788062.000001F096AA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://chardet.feedparser.org/p=
Source: NEVER OPEN!.exe, 00000001.00000003.1875075177.000001F095CE8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1868292392.000001F095C9E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871406964.000001F095CE7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869721795.000001F095CBB000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: NEVER OPEN!.exe, 00000001.00000003.1869547578.000001F095E13000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1742101263.000001F095DFC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1742101263.000001F095DAD000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1746818736.000001F095E13000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874591942.000001F095E1B000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1883341863.000001F095E1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: NEVER OPEN!.exe, 00000001.00000003.1874305117.000001F0974F9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869260303.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874681025.000001F097500000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863855088.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1788868906.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863985982.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891393968.000001F097504000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889252951.000001F09668A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097719000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865828206.000001F09762E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867966006.000001F09764B000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866436381.000001F097716000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866533702.000001F097644000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865994897.000001F097639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866390219.000001F097671000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795315174.000001F097671000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866509171.000001F097617000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873000781.000001F097674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891393968.000001F097504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: NEVER OPEN!.exe, 00000001.00000003.1869260303.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863855088.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869038207.000001F09779D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1859519257.000001F09779D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889252951.000001F09668A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874305117.000001F0974F9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874681025.000001F097500000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863985982.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891271962.000001F0974EF000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891393968.000001F097504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlex
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlfts3
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863985982.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891271962.000001F0974EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crldex
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsec
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: NEVER OPEN!.exe, 00000001.00000003.1865828206.000001F09762E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867966006.000001F09764B000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892221361.000001F09764E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866533702.000001F097644000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865994897.000001F097639000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873148359.000001F09764E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Dig
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dat.txt, 0000001F.00000003.2025585356.000001E72D468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889208036.000001F096645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865767129.000001F096645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889788062.000001F096AA0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890206695.000001F096FF0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889596330.000001F0968A0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888533425.000001F096587000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890308306.000001F0970F0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875471356.000001F095888000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875150816.000001F095857000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1880951206.000001F09588B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: NEVER OPEN!.exe, 00000001.00000002.1890206695.000001F096FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: NEVER OPEN!.exe, 00000001.00000002.1893418081.000001F097A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: NEVER OPEN!.exe, 00000001.00000002.1890308306.000001F0970F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: NEVER OPEN!.exe, 00000001.00000002.1889881614.000001F096BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: NEVER OPEN!.exe, 00000001.00000003.1746818736.000001F095D1D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1748289517.000001F095DAC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: NEVER OPEN!.exe, 00000001.00000002.1883832510.000001F095F40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: NEVER OPEN!.exe, 00000001.00000002.1889881614.000001F096BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: NEVER OPEN!.exe, 00000001.00000003.1874217754.000001F095D70000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875606707.000001F095DA1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869627513.000001F095D5F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876866086.000001F095DA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: NEVER OPEN!.exe, 00000001.00000003.1874217754.000001F095D70000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875606707.000001F095DA1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870689292.000001F095922000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867207825.000001F09591C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869627513.000001F095D5F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877251993.000001F095DAB000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876866086.000001F095DA7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1881418163.000001F095923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: NEVER OPEN!.exe, 00000001.00000002.1889692319.000001F0969A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html
Source: NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873103669.000001F095D16000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891810964.000001F0975A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097719000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795276580.000001F097677000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866436381.000001F097716000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795396100.000001F09767F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.ese
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: NEVER OPEN!.exe, 00000001.00000002.1881898101.000001F095B40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1879835755.000001F095130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://packages.python.org/altgraph
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pypi.python.org/pypi/altgraph
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pypi.python.org/pypi/sphinx
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org
Source: NEVER OPEN!.exe, 00000001.00000003.1872384714.000001F09725C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://python.org:80
Source: NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866509171.000001F097617000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892598384.000001F0976B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/1;
Source: NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866464509.000001F0976B1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892598384.000001F0976B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/7
Source: NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/U
Source: dat.txt	String found in binary or memory: http://schemas.mi
Source: NEVER OPEN!.exe, 00000001.00000002.1894215353.000001F0982D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.html
Source: NEVER OPEN!.exe, 00000001.00000002.1894215353.000001F0982D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.htmlread
Source: NEVER OPEN!.exe, 00000001.00000003.1869811293.000001F0964B7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1886398465.000001F0964BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: NEVER OPEN!.exe, 00000001.00000002.1890206695.000001F096FF0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1893418081.000001F097A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: NEVER OPEN!.exe, 00000001.00000002.1890102466.000001F096EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890431124.000001F097203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097719000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795276580.000001F097677000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866436381.000001F097716000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795396100.000001F09767F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873103669.000001F095D16000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891810964.000001F0975A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: NEVER OPEN!.exe, 00000001.00000002.1892323666.000001F097687000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873103669.000001F095D16000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891810964.000001F0975A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866659826.000001F097686000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866191590.000001F09767F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlP
Source: NEVER OPEN!.exe, 00000001.00000003.1873000781.000001F09766C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892292252.000001F09766C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlv
Source: NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890462247.000001F097216000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: NEVER OPEN!.exe, 00000001.00000002.1892323666.000001F097687000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873103669.000001F095D16000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891810964.000001F0975A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866659826.000001F097686000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866191590.000001F09767F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890462247.000001F097216000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htmz1
Source: NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873103669.000001F095D16000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891810964.000001F0975A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890462247.000001F097216000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: NEVER OPEN!.exe, 00000000.00000003.1732075571.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: NEVER OPEN!.exe, 00000000.00000003.1732075571.0000027663E06000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1732075571.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: NEVER OPEN!.exe, 00000001.00000003.1873581283.000001F097495000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874932917.000001F0974B0000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/egVn
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889208036.000001F096645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865767129.000001F096645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722997372.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720275846.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795276580.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795331629.000001F0976B1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972FC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1788868906.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866464509.000001F0976B1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890462247.000001F097216000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892598384.000001F0976B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: NEVER OPEN!.exe, 00000001.00000003.1874217754.000001F095D70000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875606707.000001F095DA1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869627513.000001F095D5F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876866086.000001F095DA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: NEVER OPEN!.exe, 00000001.00000003.1869811293.000001F0964B7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875247294.000001F0964C3000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871028242.000001F0964C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pyinstaller.org/
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pyinstaller.org/support.html
Source: NEVER OPEN!.exe, 00000001.00000003.1874418076.000001F095904000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1868261871.000001F095903000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: NEVER OPEN!.exe, 00000001.00000003.1875330985.000001F097460000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877208570.000001F097472000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766457914.000001F097363000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874148217.000001F097453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890431124.000001F097203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888533425.000001F096587000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888632190.000001F0965A4000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://127.0.0.1:8443
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F0996D4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1792420967.000001F097770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altgraph.readthedocs.io
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altgraph.readthedocs.io/en/latest/
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/firacode/6.2.0/woff/FiraCode-Bold.woff
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/firacode/6.2.0/woff/FiraCode-Regular.woff
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/firacode/6.2.0/woff2/FiraCode-Bold.woff2
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/firacode/6.2.0/woff2/FiraCode-Regular.woff2
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://click.palletsprojects.com/
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888632190.000001F0965A4000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888632190.000001F0965A4000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3
Source: NEVER OPEN!.exe, 00000001.00000002.1893994482.000001F0980D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/guilds/
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10
Source: NEVER OPEN!.exe, 00000001.00000002.1893994482.000001F0980D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10/webhooks/1306712102454689894/mUtZxcKqgD0QOzmILD3IjZstQhJ4wDZAz0fITuzSl_A
Source: NEVER OPEN!.exe, 00000001.00000002.1894215353.000001F098348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1306712102454689894/mUtZxcKqgD0QOzmILD3IjZstQhJ4wDZAz0fITuzSl_AZIun
Source: NEVER OPEN!.exe, 00000001.00000002.1893994482.000001F0980D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/
Source: NEVER OPEN!.exe, 00000001.00000002.1890308306.000001F0970F0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/developers/applications/
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/events/
Source: NEVER OPEN!.exe, 00000001.00000002.1893776235.000001F097EC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/oauth2/authorize?client_id=
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.new/
Source: NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874305117.000001F0974F9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863985982.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888632190.000001F0965A4000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
Source: NEVER OPEN!.exe, 00000001.00000002.1884370641.000001F0962A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: NEVER OPEN!.exe, 00000001.00000002.1884370641.000001F0962A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: NEVER OPEN!.exe, 00000001.00000003.1743000479.000001F0962F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: NEVER OPEN!.exe, 00000001.00000003.1743000479.000001F096335000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1881898101.000001F095B40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1743000479.000001F0962F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: NEVER OPEN!.exe, 00000001.00000003.1875330985.000001F097460000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877208570.000001F097472000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874148217.000001F097453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/regex/latest/regex/#syntax
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filepreviews.io/
Source: NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871513780.000001F096512000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1887451073.000001F096536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539#
Source: NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/XVilka/8346728
Source: NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890206695.000001F096FF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Rapptz/discord.py
Source: NEVER OPEN!.exe, 00000001.00000003.1737866877.000001F093927000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870519237.000001F093913000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1737990293.000001F093916000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1879447015.000001F093915000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093927000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972FC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876188142.000001F0965AC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888675099.000001F0965AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/freyacodes/Lavalink
Source: NEVER OPEN!.exe, 00000001.00000002.1889881614.000001F096BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: NEVER OPEN!.exe, 00000000.00000003.1725542997.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719318901.0000027663E05000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1723670795.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1726594155.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1724000360.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1725938350.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1719318901.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1725185679.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1725333388.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1725938350.0000027663E06000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1899711383.00007FFE001E6000.00000004.00000001.01000000.0000003B.sdmp, NEVER OPEN!.exe, 00000001.00000002.1907121579.00007FFE01475000.00000004.00000001.01000000.00000011.sdmp, NEVER OPEN!.exe, 00000001.00000002.1909564751.00007FFE0CFBA000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/pyright/)).
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/naufraghi/tinyaes-py
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pygments/pygments/archive/master.zip#egg=Pygments-dev
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyinstaller/pyinstaller
Source: NEVER OPEN!.exe, 00000000.00000003.1732075571.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyinstaller/pyinstaller.
Source: NEVER OPEN!.exe, 00000001.00000002.1884428139.000001F0962C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1068)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1079)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1081)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1084)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1085)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1090)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1092)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1099)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1105)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1107)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1117)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1120)
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1122)
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1747162433.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/993)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: NEVER OPEN!.exe, 00000001.00000003.1737990293.000001F093916000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1879835755.000001F095130000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: NEVER OPEN!.exe, 00000001.00000003.1737866877.000001F093927000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870519237.000001F093913000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1879447015.000001F093915000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ronaldoussoren/altgraph
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ronaldoussoren/altgraph/
Source: NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ronaldoussoren/altgraph/issues
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek).
Source: NEVER OPEN!.exe, 00000001.00000003.1737866877.000001F093927000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870519237.000001F093913000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1879447015.000001F093915000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871513780.000001F096512000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1887451073.000001F096536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871513780.000001F096512000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1887451073.000001F096536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: NEVER OPEN!.exe, 00000000.00000003.1732075571.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gnu.org/licenses/gpl-2.0.html
Source: NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888533425.000001F096587000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hatch.pypa.io/latest/).
Source: NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871513780.000001F096512000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1887451073.000001F096536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: NEVER OPEN!.exe, 00000001.00000002.1890308306.000001F0970F0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1868129600.000001F095E34000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1883569338.000001F095E36000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871347871.000001F096692000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889286989.000001F096695000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888959073.000001F096608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: NEVER OPEN!.exe, 00000001.00000003.1868292392.000001F095C9E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1882409318.000001F095CD1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876359841.000001F095CD1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869721795.000001F095CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F098584000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://i.imgu
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.imgur.com/HjzfjfR.png
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://i.scdn.co/image/
Source: NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipapi.co/ip/
Source: NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1887451073.000001F096536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1792420967.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F0996C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795006849.000001F097608000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1794679097.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F0996E8000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1792420967.000001F097770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876188142.000001F0965AC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888675099.000001F0965AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://media.discordapp.net/
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://open.spotify.com/track/
Source: NEVER OPEN!.exe, 00000001.00000003.1747162433.000001F0964D1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889788062.000001F096AA0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889596330.000001F0968A0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1747162433.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1747339602.000001F0964BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0681/)
Source: NEVER OPEN!.exe, 00000001.00000003.1875330985.000001F097460000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877208570.000001F097472000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890861032.000001F097400000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874148217.000001F097453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://projectfluent.org
Source: NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876003232.000001F096543000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871513780.000001F096512000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pygments.org/docs/lexers/)
Source: NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pygments.org/docs/styles/#getting-a-list-of-available-styles).
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pyinstaller.readthedocs.io/
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pyinstaller.readthedocs.io/en/v5.0.1/
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pyinstaller.readthedocs.io/en/v5.0.1/CHANGES.html
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/attrs/)
Source: NEVER OPEN!.exe, 00000001.00000002.1898577877.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/addi00000/empyrean-injection/main/obfuscated.js
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/addi00000/empyrean-injection/main/obfuscated.js0
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/FilePreviews.svg
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Sentry.svg
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Tidelift.svg
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Variomedia.svg
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: NEVER OPEN!.exe, 00000001.00000003.1868292392.000001F095C9E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869721795.000001F095CBB000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890308306.000001F0970F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry.io/
Source: NEVER OPEN!.exe, 00000001.00000003.1740139596.000001F095CC7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1740139596.000001F095C77000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1740708415.000001F09590C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1739985681.000001F095CC7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870689292.000001F095922000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867207825.000001F09591C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1741731970.000001F0958E9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1881418163.000001F095923000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1742208369.000001F09590B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: NEVER OPEN!.exe, 00000001.00000003.1871162140.000001F0962C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1743000479.000001F096335000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1884370641.000001F0962A0000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1884428139.000001F0962C9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1743000479.000001F0962F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: NEVER OPEN!.exe, 00000001.00000002.1889881614.000001F096BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F098677000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F098690000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: NEVER OPEN!.exe, 00000001.00000003.1785503716.000001F09772A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986BD000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891496753.000001F09751A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863985982.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: NEVER OPEN!.exe, 00000001.00000003.1785503716.000001F09772A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F098677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgo9
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17P
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscripti
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa
Source: NEVER OPEN!.exe, 00000001.00000003.1871162140.000001F0962C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1884428139.000001F0962C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889208036.000001F096645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865767129.000001F096645000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875150816.000001F095857000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1889881614.000001F096BA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F09967C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1880785392.000001F095840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/license.html)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization).
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes).
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/cdn-cgi/trace
Source: NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/cdn-cgi/tracep8B
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F09967C000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F098677000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F098690000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F09967C000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: NEVER OPEN!.exe, 00000001.00000003.1785503716.000001F09772A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: NEVER OPEN!.exe, 00000001.00000003.1785503716.000001F09772A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: NEVER OPEN!.exe, 00000001.00000003.1785503716.000001F09772A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986BD000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780302825.000001F09761D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: NEVER OPEN!.exe, 00000001.00000003.1785503716.000001F09772A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: NEVER OPEN!.exe, 00000001.00000003.1785503716.000001F09772A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1787469521.000001F0986BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F0996D4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1792420967.000001F097770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F09967C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1898503424.00007FFDFB414000.00000004.00000001.01000000.00000018.sdmp, NEVER OPEN!.exe, 00000001.00000002.1904170665.00007FFE00823000.00000004.00000001.01000000.00000017.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: NEVER OPEN!.exe, 00000001.00000002.1889692319.000001F0969A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch04s07.html
Source: NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pyinstaller.org/
Source: NEVER OPEN!.exe, 00000001.00000003.1868292392.000001F095C9E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1882409318.000001F095CD1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876359841.000001F095CD1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869721795.000001F095CBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876188142.000001F0965AC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888675099.000001F0965AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: NEVER OPEN!.exe, 00000000.00000003.1730086551.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: NEVER OPEN!.exe, 00000001.00000002.1879835755.000001F095130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.textualize.io
Source: NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.variomedia.de/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F09967C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: NEVER OPEN!.exe, 00000001.00000003.1873000781.000001F09766C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1788868906.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892292252.000001F09766C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: NEVER OPEN!.exe, 00000001.00000003.1869260303.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863855088.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1788868906.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889252951.000001F09668A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888533425.000001F096587000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/
Source: NEVER OPEN!.exe, 00000001.00000002.1883414803.000001F095E2A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1746818736.000001F095E27000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869759132.000001F095E27000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1748289517.000001F095E27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://zopeinterface.readthedocs.io/en/latest/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_ec_ws.pyd entropy: 7.99846974006	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imaging.cp310-win_amd64.pyd entropy: 7.99826858376	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imagingft.cp310-win_amd64.pyd entropy: 7.9983793163	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\python310.dll entropy: 7.9920074107	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\sqlite3.dll entropy: 7.99354820268	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Roaming\empyrean\dat.txt entropy: 7.99798119644	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_ec_ws.pyd entropy: 7.99846974006	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imaging.cp310-win_amd64.pyd entropy: 7.99826858376	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imagingft.cp310-win_amd64.pyd entropy: 7.9983793163	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\python310.dll entropy: 7.9920074107	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\sqlite3.dll entropy: 7.99354820268	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ec_ws.pyd entropy: 7.99846974006	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imaging.cp310-win_amd64.pyd entropy: 7.99826858376	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingft.cp310-win_amd64.pyd entropy: 7.9983793163	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\python310.dll entropy: 7.9920074107	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\sqlite3.dll entropy: 7.99354820268	Jump to dropped file

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BDB28C	0_2_00007FF619BDB28C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD64A4	0_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE4D48	0_2_00007FF619BE4D48
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BC6740	0_2_00007FF619BC6740
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD72FC	0_2_00007FF619BD72FC
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BDDAB8	0_2_00007FF619BDDAB8
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD62F0	0_2_00007FF619BD62F0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE8A88	0_2_00007FF619BE8A88
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD0A4C	0_2_00007FF619BD0A4C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD29E4	0_2_00007FF619BD29E4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD11F4	0_2_00007FF619BD11F4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE314C	0_2_00007FF619BE314C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD4D00	0_2_00007FF619BD4D00
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE2CC0	0_2_00007FF619BE2CC0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE0CE4	0_2_00007FF619BE0CE4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD1CA0	0_2_00007FF619BD1CA0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BC9CB0	0_2_00007FF619BC9CB0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD0C38	0_2_00007FF619BD0C38
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BDD438	0_2_00007FF619BDD438
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BC1B90	0_2_00007FF619BC1B90
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD8F00	0_2_00007FF619BD8F00
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD0E20	0_2_00007FF619BD0E20
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD2618	0_2_00007FF619BD2618
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD64A4	0_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BDFD48	0_2_00007FF619BDFD48
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BDFD48	0_2_00007FF619BDFD48
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD0864	0_2_00007FF619BD0864
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD100C	0_2_00007FF619BD100C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE4FC4	0_2_00007FF619BE4FC4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BDCF88	0_2_00007FF619BDCF88
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE5740	0_2_00007FF619BE5740
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BDB28C	1_2_00007FF619BDB28C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD72FC	1_2_00007FF619BD72FC
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BDDAB8	1_2_00007FF619BDDAB8
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD62F0	1_2_00007FF619BD62F0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE8A88	1_2_00007FF619BE8A88
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD0A4C	1_2_00007FF619BD0A4C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD29E4	1_2_00007FF619BD29E4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD11F4	1_2_00007FF619BD11F4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE314C	1_2_00007FF619BE314C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD4D00	1_2_00007FF619BD4D00
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE2CC0	1_2_00007FF619BE2CC0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE0CE4	1_2_00007FF619BE0CE4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD64A4	1_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD1CA0	1_2_00007FF619BD1CA0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BC9CB0	1_2_00007FF619BC9CB0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD0C38	1_2_00007FF619BD0C38
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BDD438	1_2_00007FF619BDD438
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BC1B90	1_2_00007FF619BC1B90
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD8F00	1_2_00007FF619BD8F00
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD0E20	1_2_00007FF619BD0E20
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD2618	1_2_00007FF619BD2618
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD64A4	1_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BDFD48	1_2_00007FF619BDFD48
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE4D48	1_2_00007FF619BE4D48
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BDFD48	1_2_00007FF619BDFD48
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD0864	1_2_00007FF619BD0864
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD100C	1_2_00007FF619BD100C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE4FC4	1_2_00007FF619BE4FC4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BDCF88	1_2_00007FF619BDCF88
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BC6740	1_2_00007FF619BC6740
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE5740	1_2_00007FF619BE5740
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE0F920	1_2_00007FFDFAE0F920
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE3FF20	1_2_00007FFDFAE3FF20
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE9ED10	1_2_00007FFDFAE9ED10
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE28AB0	1_2_00007FFDFAE28AB0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAEDBBA0	1_2_00007FFDFAEDBBA0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE4B910	1_2_00007FFDFAE4B910
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAEA58B0	1_2_00007FFDFAEA58B0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE66880	1_2_00007FFDFAE66880
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAEA4870	1_2_00007FFDFAEA4870
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE23A50	1_2_00007FFDFAE23A50
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE86A00	1_2_00007FFDFAE86A00
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE269A2	1_2_00007FFDFAE269A2
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE7B980	1_2_00007FFDFAE7B980
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE34F20	1_2_00007FFDFAE34F20
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE23F10	1_2_00007FFDFAE23F10
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE6BEC0	1_2_00007FFDFAE6BEC0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE7FEA0	1_2_00007FFDFAE7FEA0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE61E60	1_2_00007FFDFAE61E60
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE2E040	1_2_00007FFDFAE2E040
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE3B010	1_2_00007FFDFAE3B010
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE6CCF0	1_2_00007FFDFAE6CCF0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE31CB0	1_2_00007FFDFAE31CB0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE76C70	1_2_00007FFDFAE76C70
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAECCC70	1_2_00007FFDFAECCC70
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE8EE50	1_2_00007FFDFAE8EE50
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAEBDE30	1_2_00007FFDFAEBDE30
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE97D80	1_2_00007FFDFAE97D80
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE96D70	1_2_00007FFDFAE96D70
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE7DD60	1_2_00007FFDFAE7DD60
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE8BD60	1_2_00007FFDFAE8BD60
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE6B300	1_2_00007FFDFAE6B300
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE772C0	1_2_00007FFDFAE772C0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE38290	1_2_00007FFDFAE38290
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE42280	1_2_00007FFDFAE42280
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE64270	1_2_00007FFDFAE64270
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE2F400	1_2_00007FFDFAE2F400
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE4B150	1_2_00007FFDFAE4B150
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE470B0	1_2_00007FFDFAE470B0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAEB1070	1_2_00007FFDFAEB1070
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE2A060	1_2_00007FFDFAE2A060
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE26060	1_2_00007FFDFAE26060
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAEA4060	1_2_00007FFDFAEA4060
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE781A0	1_2_00007FFDFAE781A0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE22758	1_2_00007FFDFAE22758
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE36740	1_2_00007FFDFAE36740
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE4E710	1_2_00007FFDFAE4E710
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE3B6B0	1_2_00007FFDFAE3B6B0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE4C690	1_2_00007FFDFAE4C690
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAECA850	1_2_00007FFDFAECA850
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE44810	1_2_00007FFDFAE44810
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE45800	1_2_00007FFDFAE45800
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE3A7B0	1_2_00007FFDFAE3A7B0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE4A770	1_2_00007FFDFAE4A770
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE53510	1_2_00007FFDFAE53510
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE824F0	1_2_00007FFDFAE824F0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAEB1460	1_2_00007FFDFAEB1460
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE925D0	1_2_00007FFDFAE925D0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAE265DB	1_2_00007FFDFAE265DB
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA1880	1_2_00007FFDFAFA1880
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB413230	1_2_00007FFDFB413230
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C30C1	1_2_00007FFDFB0C30C1
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB1F7AF0	1_2_00007FFDFB1F7AF0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB2639D0	1_2_00007FFDFB2639D0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB277A10	1_2_00007FFDFB277A10
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C4165	1_2_00007FFDFB0C4165
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C3FDA	1_2_00007FFDFB0C3FDA
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C6A82	1_2_00007FFDFB0C6A82
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C655A	1_2_00007FFDFB0C655A
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C4C37	1_2_00007FFDFB0C4C37
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0DBF20	1_2_00007FFDFB0DBF20
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0DBD60	1_2_00007FFDFB0DBD60
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C2289	1_2_00007FFDFB0C2289
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C2766	1_2_00007FFDFB0C2766
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB1EFE30	1_2_00007FFDFB1EFE30
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C32E7	1_2_00007FFDFB0C32E7
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A8B28C	25_2_00007FF670A8B28C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A864A4	25_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A8FD48	25_2_00007FF670A8FD48
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A94D48	25_2_00007FF670A94D48
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A76740	25_2_00007FF670A76740
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A811F4	25_2_00007FF670A811F4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A829E4	25_2_00007FF670A829E4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A9314C	25_2_00007FF670A9314C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A862F0	25_2_00007FF670A862F0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A8DAB8	25_2_00007FF670A8DAB8
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A872FC	25_2_00007FF670A872FC
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A80A4C	25_2_00007FF670A80A4C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A98A88	25_2_00007FF670A98A88
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A71B90	25_2_00007FF670A71B90
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A90CE4	25_2_00007FF670A90CE4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A92CC0	25_2_00007FF670A92CC0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A84D00	25_2_00007FF670A84D00
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A80C38	25_2_00007FF670A80C38
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A8D438	25_2_00007FF670A8D438
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A79CB0	25_2_00007FF670A79CB0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A81CA0	25_2_00007FF670A81CA0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A864A4	25_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A82618	25_2_00007FF670A82618
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A80E20	25_2_00007FF670A80E20
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A88F00	25_2_00007FF670A88F00
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A94FC4	25_2_00007FF670A94FC4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A8100C	25_2_00007FF670A8100C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A95740	25_2_00007FF670A95740
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A8CF88	25_2_00007FF670A8CF88
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A80864	25_2_00007FF670A80864
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A8FD48	25_2_00007FF670A8FD48
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A8B28C	26_2_00007FF670A8B28C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A811F4	26_2_00007FF670A811F4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A829E4	26_2_00007FF670A829E4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A9314C	26_2_00007FF670A9314C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A862F0	26_2_00007FF670A862F0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A8DAB8	26_2_00007FF670A8DAB8
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A872FC	26_2_00007FF670A872FC
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A80A4C	26_2_00007FF670A80A4C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A98A88	26_2_00007FF670A98A88
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A71B90	26_2_00007FF670A71B90
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A90CE4	26_2_00007FF670A90CE4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A92CC0	26_2_00007FF670A92CC0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A84D00	26_2_00007FF670A84D00
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A80C38	26_2_00007FF670A80C38
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A8D438	26_2_00007FF670A8D438
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A79CB0	26_2_00007FF670A79CB0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A864A4	26_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A81CA0	26_2_00007FF670A81CA0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A864A4	26_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A82618	26_2_00007FF670A82618
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A80E20	26_2_00007FF670A80E20
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A8FD48	26_2_00007FF670A8FD48
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A94D48	26_2_00007FF670A94D48
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A88F00	26_2_00007FF670A88F00
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A94FC4	26_2_00007FF670A94FC4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A8100C	26_2_00007FF670A8100C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A95740	26_2_00007FF670A95740
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A76740	26_2_00007FF670A76740
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A8CF88	26_2_00007FF670A8CF88
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A80864	26_2_00007FF670A80864
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A8FD48	26_2_00007FF670A8FD48
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF7F920	26_2_00007FFDFAF7F920
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFAFF20	26_2_00007FFDFAFAFF20
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB00ED10	26_2_00007FFDFB00ED10
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB04BBA0	26_2_00007FFDFB04BBA0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF98AB0	26_2_00007FFDFAF98AB0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFEB980	26_2_00007FFDFAFEB980
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF969A2	26_2_00007FFDFAF969A2
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFF6A00	26_2_00007FFDFAFF6A00
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF93A50	26_2_00007FFDFAF93A50
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB014870	26_2_00007FFDFB014870
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFD6880	26_2_00007FFDFAFD6880
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB0158B0	26_2_00007FFDFB0158B0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFBB910	26_2_00007FFDFAFBB910
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFAB010	26_2_00007FFDFAFAB010
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF9E040	26_2_00007FFDFAF9E040
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFD1E60	26_2_00007FFDFAFD1E60
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFEFEA0	26_2_00007FFDFAFEFEA0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFDBEC0	26_2_00007FFDFAFDBEC0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF93F10	26_2_00007FFDFAF93F10
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFA4F20	26_2_00007FFDFAFA4F20
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFFBD60	26_2_00007FFDFAFFBD60
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFEDD60	26_2_00007FFDFAFEDD60
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB006D70	26_2_00007FFDFB006D70
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB007D80	26_2_00007FFDFB007D80
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB02DE30	26_2_00007FFDFB02DE30
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFFEE50	26_2_00007FFDFAFFEE50
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB03CC70	26_2_00007FFDFB03CC70
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFE6C70	26_2_00007FFDFAFE6C70
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFA1CB0	26_2_00007FFDFAFA1CB0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFDCCF0	26_2_00007FFDFAFDCCF0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF9F400	26_2_00007FFDFAF9F400
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFD4270	26_2_00007FFDFAFD4270
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFB2280	26_2_00007FFDFAFB2280
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFA8290	26_2_00007FFDFAFA8290
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFE72C0	26_2_00007FFDFAFE72C0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFDB300	26_2_00007FFDFAFDB300
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFE81A0	26_2_00007FFDFAFE81A0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB021070	26_2_00007FFDFB021070
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF9A060	26_2_00007FFDFAF9A060
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF96060	26_2_00007FFDFAF96060
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB014060	26_2_00007FFDFB014060
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFB70B0	26_2_00007FFDFAFB70B0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFBB150	26_2_00007FFDFAFBB150
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFBA770	26_2_00007FFDFAFBA770
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFAA7B0	26_2_00007FFDFAFAA7B0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFB5800	26_2_00007FFDFAFB5800
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFB4810	26_2_00007FFDFAFB4810
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB03A850	26_2_00007FFDFB03A850
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFBC690	26_2_00007FFDFAFBC690
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFAB6B0	26_2_00007FFDFAFAB6B0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFBE710	26_2_00007FFDFAFBE710
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFA6740	26_2_00007FFDFAFA6740
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF92758	26_2_00007FFDFAF92758
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAF965DB	26_2_00007FFDFAF965DB
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB0025D0	26_2_00007FFDFB0025D0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB021460	26_2_00007FFDFB021460
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFF24F0	26_2_00007FFDFAFF24F0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFAFC3510	26_2_00007FFDFAFC3510
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB111880	26_2_00007FFDFB111880
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB583230	26_2_00007FFDFB583230
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2330C1	26_2_00007FFDFB2330C1
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB367AF0	26_2_00007FFDFB367AF0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB3D39D0	26_2_00007FFDFB3D39D0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234165	26_2_00007FFDFB234165
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB3E7A10	26_2_00007FFDFB3E7A10
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233FDA	26_2_00007FFDFB233FDA
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB236A82	26_2_00007FFDFB236A82
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB23655A	26_2_00007FFDFB23655A
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234C37	26_2_00007FFDFB234C37
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB24BF20	26_2_00007FFDFB24BF20
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB24BD60	26_2_00007FFDFB24BD60
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB232289	26_2_00007FFDFB232289
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB35FE30	26_2_00007FFDFB35FE30
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB232766	26_2_00007FFDFB232766
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2332E7	26_2_00007FFDFB2332E7
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235D85	26_2_00007FFDFB235D85
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB367310	26_2_00007FFDFB367310
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235169	26_2_00007FFDFB235169
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233B93	26_2_00007FFDFB233B93
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB23114F	26_2_00007FFDFB23114F
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB25B1C0	26_2_00007FFDFB25B1C0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB24F200	26_2_00007FFDFB24F200
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2329CD	26_2_00007FFDFB2329CD
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB24F060	26_2_00007FFDFB24F060
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB236CB7	26_2_00007FFDFB236CB7
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB23609B	26_2_00007FFDFB23609B
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2321B7	26_2_00007FFDFB2321B7
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB236F23	26_2_00007FFDFB236F23
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB29F700	26_2_00007FFDFB29F700
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2322E8	26_2_00007FFDFB2322E8
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB237045	26_2_00007FFDFB237045
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231EA1	26_2_00007FFDFB231EA1
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB46F460	26_2_00007FFDFB46F460
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB25B550	26_2_00007FFDFB25B550
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235B0F	26_2_00007FFDFB235B0F
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231B22	26_2_00007FFDFB231B22
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB3D2A90	26_2_00007FFDFB3D2A90
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234D04	26_2_00007FFDFB234D04
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB312B40	26_2_00007FFDFB312B40
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235D9E	26_2_00007FFDFB235D9E
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2323F1	26_2_00007FFDFB2323F1
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB36B020	26_2_00007FFDFB36B020
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB236EEC	26_2_00007FFDFB236EEC
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB23213F	26_2_00007FFDFB23213F
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB24EF00	26_2_00007FFDFB24EF00
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234633	26_2_00007FFDFB234633
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2372C0	26_2_00007FFDFB2372C0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231A4B	26_2_00007FFDFB231A4B
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB237077	26_2_00007FFDFB237077
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB236FFA	26_2_00007FFDFB236FFA
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233693	26_2_00007FFDFB233693
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233486	26_2_00007FFDFB233486
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231B31	26_2_00007FFDFB231B31
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB366130	26_2_00007FFDFB366130
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235E20	26_2_00007FFDFB235E20
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2360D7	26_2_00007FFDFB2360D7
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB362670	26_2_00007FFDFB362670
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234E4E	26_2_00007FFDFB234E4E
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231CC1	26_2_00007FFDFB231CC1
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235A60	26_2_00007FFDFB235A60
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB237252	26_2_00007FFDFB237252
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233832	26_2_00007FFDFB233832
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2335FD	26_2_00007FFDFB2335FD
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231CFD	26_2_00007FFDFB231CFD
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2359F7	26_2_00007FFDFB2359F7
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233A85	26_2_00007FFDFB233A85
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2350AB	26_2_00007FFDFB2350AB
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB3E99E0	26_2_00007FFDFB3E99E0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB3D1920	26_2_00007FFDFB3D1920
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234746	26_2_00007FFDFB234746
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2357D1	26_2_00007FFDFB2357D1
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB23378D	26_2_00007FFDFB23378D
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234359	26_2_00007FFDFB234359
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231D83	26_2_00007FFDFB231D83
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB237365	26_2_00007FFDFB237365
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB365E30	26_2_00007FFDFB365E30
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2372A7	26_2_00007FFDFB2372A7
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB23266C	26_2_00007FFDFB23266C
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB232982	26_2_00007FFDFB232982
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB232D0B	26_2_00007FFDFB232D0B
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB231622	26_2_00007FFDFB231622
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233BA2	26_2_00007FFDFB233BA2
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235F0B	26_2_00007FFDFB235F0B
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235510	26_2_00007FFDFB235510
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB234287	26_2_00007FFDFB234287
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2353A8	26_2_00007FFDFB2353A8
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB24D260	26_2_00007FFDFB24D260
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB2344C6	26_2_00007FFDFB2344C6

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: String function: 00007FF619BC2770 appears 82 times
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: String function: 00007FFDFAE29310 appears 158 times
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: String function: 00007FFDFAE286B0 appears 119 times
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: String function: 00007FFDFB0C1EF1 appears 165 times
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: String function: 00007FFDFB0C4057 appears 130 times
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: String function: 00007FFDFB0C2734 appears 75 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFAF99310 appears 158 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB232734 appears 355 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB23300D appears 50 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FF670A72770 appears 82 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB236988 appears 31 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFAF986B0 appears 119 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB232A04 appears 78 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB234057 appears 524 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB231EF1 appears 890 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB23483B appears 92 times
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: String function: 00007FFDFB2324B9 appears 60 times

Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: win32ui.pyd.0.dr	Static PE information: Resource name: RT_MENU type: COM executable for DOS
Source: win32ui.pyd.0.dr	Static PE information: Resource name: RT_GROUP_CURSOR type: DOS executable (COM, 0x8C-variant)

Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.25.dr	Static PE information: No import functions for PE file found

Source: NEVER OPEN!.exe, 00000000.00000003.1718374334.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718480312.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1725542997.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1719318901.0000027663E05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1723670795.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718221490.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1726594155.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1717788454.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718628289.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1724659864.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1724000360.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1717619222.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718107183.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718740947.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718999118.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1719100684.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1720724832.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718010752.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1724481502.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718813658.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1725938350.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1719318901.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1722746625.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1725185679.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1725333388.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshell.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1724982936.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1717924924.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1719208282.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1718914840.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000000.00000003.1725938350.0000027663E06000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1923402448.00007FFE1320C000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1907437203.00007FFE014DE000.00000004.00000001.01000000.0000001D.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1916827047.00007FFE10318000.00000004.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1921998275.00007FFE12E19000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1898503424.00007FFDFB414000.00000004.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1878698743.000001F093850000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1915396079.00007FFE0EB6C000.00000004.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1924223671.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1910950990.00007FFE0E143000.00000004.00000001.01000000.00000019.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1899711383.00007FFE001E6000.00000004.00000001.01000000.0000003B.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1907121579.00007FFE01475000.00000004.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1904170665.00007FFE00823000.00000004.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilenamelibsslH vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1922934113.00007FFE130CC000.00000004.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1904674154.00007FFE012DF000.00000004.00000001.01000000.00000032.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1909564751.00007FFE0CFBA000.00000004.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1915708693.00007FFE101E8000.00000004.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1904462925.00007FFE01224000.00000004.00000001.01000000.00000031.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1897449895.00007FFDFB0B7000.00000004.00000001.01000000.0000001C.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1911590919.00007FFE0E183000.00000004.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1896632509.00007FFDFAF8E000.00000004.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1906681535.00007FFE013B1000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs NEVER OPEN!.exe
Source: NEVER OPEN!.exe, 00000001.00000002.1916310700.00007FFE10263000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs NEVER OPEN!.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

Source: libcrypto-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9987735523897059
Source: libssl-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9903690732758621
Source: python310.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989668051626591
Source: pythoncom310.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9899098376132931
Source: sqlite3.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9974886012158704
Source: _ec_ws.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.997811369573955
Source: _imaging.cp310-win_amd64.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9979345034246575
Source: _imagingft.cp310-win_amd64.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9982498724016332
Source: _webp.cp310-win_amd64.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9935926258992805
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9949454842032966
Source: shell.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9900203339041096
Source: win32ui.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9930103058510639
Source: libcrypto-1_1.dll.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9987735523897059
Source: libssl-1_1.dll.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9903690732758621
Source: python310.dll.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9989668051626591
Source: pythoncom310.dll.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9899098376132931
Source: sqlite3.dll.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9974886012158704
Source: _ec_ws.pyd.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.997811369573955
Source: _imaging.cp310-win_amd64.pyd.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9979345034246575
Source: _imagingft.cp310-win_amd64.pyd.25.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9982498724016332

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@78/365@4/4

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 0_2_00007FF619BC7410 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF619BC7410

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

File created: C:\Users\user\Desktop\login_db

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI70002

Jump to behavior

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f"

Source: NEVER OPEN!.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NEVER OPEN!.exe, dat.txt	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: NEVER OPEN!.exe, dat.txt	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: NEVER OPEN!.exe, dat.txt	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: NEVER OPEN!.exe, dat.txt	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: NEVER OPEN!.exe, dat.txt	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: NEVER OPEN!.exe, 00000001.00000003.1766435908.000001F0976BD000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F097690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: NEVER OPEN!.exe, dat.txt	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: NEVER OPEN!.exe

ReversingLabs: Detection: 57%

Source: NEVER OPEN!.exe	String found in binary or memory: set-addPolicy
Source: NEVER OPEN!.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

File read: C:\Users\user\Desktop\NEVER OPEN!.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NEVER OPEN!.exe "C:\Users\user\Desktop\NEVER OPEN!.exe"
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Users\user\Desktop\NEVER OPEN!.exe "C:\Users\user\Desktop\NEVER OPEN!.exe"
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\empyrean\run.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\empyrean\run.bat" "
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Users\user\Desktop\NEVER OPEN!.exe "C:\Users\user\Desktop\NEVER OPEN!.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: libffi-7.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: dpapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: libffi-7.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: sqlite3.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Section loaded: dpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: NEVER OPEN!.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: NEVER OPEN!.exe

Static file information: File size 18752296 > 1048576

Source: NEVER OPEN!.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NEVER OPEN!.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NEVER OPEN!.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NEVER OPEN!.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NEVER OPEN!.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NEVER OPEN!.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NEVER OPEN!.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: NEVER OPEN!.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\A\40\b\bin\amd64\_decimal.pdb$$ source: NEVER OPEN!.exe, 00000001.00000002.1906311543.00007FFE01371000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: NEVER OPEN!.exe, dat.txt
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: NEVER OPEN!.exe, dat.txt
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: NEVER OPEN!.exe, 00000001.00000002.1903355658.00007FFE007E6000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_decimal.pdb source: NEVER OPEN!.exe, 00000001.00000002.1906311543.00007FFE01371000.00000040.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: NEVER OPEN!.exe, 00000001.00000002.1920987146.00007FFE126C1000.00000040.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb source: NEVER OPEN!.exe, 00000001.00000002.1899389721.00007FFE001C1000.00000040.00000001.01000000.0000003B.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: NEVER OPEN!.exe, 00000001.00000002.1897592652.00007FFDFB30E000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python3.pdb source: NEVER OPEN!.exe, 00000000.00000003.1722852728.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1878698743.000001F093850000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: NEVER OPEN!.exe, 00000000.00000003.1717619222.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1924121684.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: NEVER OPEN!.exe, 00000001.00000002.1916135326.00007FFE10241000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: NEVER OPEN!.exe, 00000000.00000003.1717619222.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1924121684.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: NEVER OPEN!.exe, 00000001.00000002.1922538367.00007FFE130C1000.00000040.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: NEVER OPEN!.exe, 00000001.00000002.1907220479.00007FFE014C1000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\python310.pdb source: NEVER OPEN!.exe, 00000001.00000002.1898577877.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: NEVER OPEN!.exe, 00000001.00000002.1904550109.00007FFE012D1000.00000040.00000001.01000000.00000032.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: NEVER OPEN!.exe, 00000001.00000002.1909665891.00007FFE0CFC1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: NEVER OPEN!.exe, 00000000.00000003.1717788454.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1921820675.00007FFE12E15000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: NEVER OPEN!.exe, 00000001.00000002.1915163773.00007FFE0EB5C000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: NEVER OPEN!.exe, 00000001.00000002.1904263516.00007FFE01211000.00000040.00000001.01000000.00000031.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: NEVER OPEN!.exe, 00000001.00000002.1915163773.00007FFE0EB5C000.00000040.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: NEVER OPEN!.exe, 00000001.00000002.1909239152.00007FFE0CF91000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: NEVER OPEN!.exe, 00000001.00000002.1923089438.00007FFE13201000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: NEVER OPEN!.exe, 00000001.00000002.1896873012.00007FFDFB0AC000.00000040.00000001.01000000.0000001C.sdmp
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: NEVER OPEN!.exe, 00000001.00000002.1903355658.00007FFE007E6000.00000040.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: NEVER OPEN!.exe, 00000001.00000002.1909239152.00007FFE0CF91000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: NEVER OPEN!.exe, 00000001.00000002.1908679287.00007FFE0C0A1000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: NEVER OPEN!.exe, 00000001.00000002.1915478870.00007FFE101D1000.00000040.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: NEVER OPEN!.exe, 00000001.00000002.1909665891.00007FFE0CFC1000.00000040.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: NEVER OPEN!.exe, 00000001.00000002.1916398193.00007FFE10301000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: NEVER OPEN!.exe, 00000001.00000002.1897592652.00007FFDFB30E000.00000040.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: NEVER OPEN!.exe, 00000000.00000003.1717788454.0000027663DF8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1921820675.00007FFE12E15000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: NEVER OPEN!.exe, dat.txt
Source:	Binary string: C:\A\40\b\bin\amd64\pyexpat.pdb source: NEVER OPEN!.exe, 00000001.00000002.1911150737.00007FFE0E151000.00000040.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32crypt.pdb!! source: NEVER OPEN!.exe, 00000001.00000002.1899389721.00007FFE001C1000.00000040.00000001.01000000.0000003B.sdmp

Source: NEVER OPEN!.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NEVER OPEN!.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NEVER OPEN!.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NEVER OPEN!.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NEVER OPEN!.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 1_2_00007FFDFAE0F920 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAE0F920

Source: NEVER OPEN!.exe	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libffi-7.dll.0.dr	Static PE information: section name: UPX2
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: dat.txt.1.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.25.dr	Static PE information: section name: _RDATA
Source: libffi-7.dll.25.dr	Static PE information: section name: UPX2
Source: mfc140u.dll.25.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC4F44 push 6FFDC5CAh; ret	1_2_00007FFDFABC4F4A
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC7679 push 6FFDC5D5h; iretd	1_2_00007FFDFABC767F
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC4A94 push 6FFDC5D5h; iretd	1_2_00007FFDFABC4A9A
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC73CB push 60F5C5F1h; iretd	1_2_00007FFDFABC73D3
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC4F90 push 6FFDC5C3h; iretd	1_2_00007FFDFABC4F96
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC7929 push 6FFDC5CAh; ret	1_2_00007FFDFABC792F
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC45E6 push 60F5C5F1h; iretd	1_2_00007FFDFABC45EE
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFABC7975 push 6FFDC5C3h; iretd	1_2_00007FFDFABC797B
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6F8D push r10; ret	1_2_00007FFDFAFA6FA0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA77EA push rsi; ret	1_2_00007FFDFAFA7821
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA9C02 push rsp; retf	1_2_00007FFDFAFA9C03
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6C21 push r10; ret	1_2_00007FFDFAFA6C23
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA8E66 push rbp; iretq	1_2_00007FFDFAFA8E67
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6E8C push rsp; iretd	1_2_00007FFDFAFA6E8D
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6E9B push rsi; ret	1_2_00007FFDFAFA6E9C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6EB6 push r10; retf	1_2_00007FFDFAFA6EB9
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6ED0 push r12; ret	1_2_00007FFDFAFA6EEE
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFAA2E5 push rsp; retf	1_2_00007FFDFAFAA2E6
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA92E4 push r10; retf	1_2_00007FFDFAFA9350
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA8EFE push r12; ret	1_2_00007FFDFAFA8F25
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6F32 push r12; ret	1_2_00007FFDFAFA6F4A
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA8F53 push r12; iretd	1_2_00007FFDFAFA8F6A
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6F54 push r8; ret	1_2_00007FFDFAFA6F5C
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFAA164 push rsp; ret	1_2_00007FFDFAFAA165
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA9D85 push rsp; iretq	1_2_00007FFDFAFA9D86
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA85A7 push r12; ret	1_2_00007FFDFAFA85E3
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA91A3 push rdi; iretd	1_2_00007FFDFAFA91A5
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6DFB push rsp; ret	1_2_00007FFDFAFA6E03
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6E44 push rdi; iretd	1_2_00007FFDFAFA6E46
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFAA4A9 push rdx; ret	1_2_00007FFDFAFAA500
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA6CCC push r8; ret	1_2_00007FFDFAFA6CD9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_http_writer.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\yarl\_quoting_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_helpers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\yarl\_quoting_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\frozenlist\_frozenlist.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\frozenlist\_frozenlist.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\multidict\_multidict.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_http_parser.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_helpers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_http_writer.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\frozenlist\_frozenlist.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_http_writer.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_http_parser.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_http_parser.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\propcache\_helpers_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\multidict\_multidict.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\multidict\_multidict.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_websocket.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_websocket.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\yarl\_quoting_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\propcache\_helpers_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_helpers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\propcache\_helpers_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_websocket.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File created: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA224.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

File created: C:\Users\user\AppData\Roaming\empyrean\dat.txt

Jump to dropped file

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run empyrean			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run empyrean			Jump to behavior

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 0_2_00007FF619BC3DD0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF619BC3DD0

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt

Code function: 26_2_00007FFDFB23572C rdtsc

26_2_00007FFDFB23572C

Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_http_writer.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\yarl\_quoting_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_helpers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\yarl\_quoting_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\frozenlist\_frozenlist.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\frozenlist\_frozenlist.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\multidict\_multidict.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_http_parser.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_helpers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_http_writer.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\frozenlist\_frozenlist.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_http_writer.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_http_parser.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\python310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_http_parser.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\propcache\_helpers_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\multidict\_multidict.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\multidict\_multidict.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_websocket.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_websocket.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\yarl\_quoting_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\propcache\_helpers_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp\_helpers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\propcache\_helpers_c.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp\_websocket.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Hash\_SHA224.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-16203

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	API coverage: 5.7 %

Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BC7780 FindFirstFileExW,FindClose,	0_2_00007FF619BC7780
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BE0CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF619BE0CE4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BE0CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF619BE0CE4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD64A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	1_2_00007FF619BD64A4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BC7780 FindFirstFileExW,FindClose,	1_2_00007FF619BC7780
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFB0C3229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	1_2_00007FFDFB0C3229
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	25_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A77780 FindFirstFileExW,FindClose,	25_2_00007FF670A77780
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A90CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	25_2_00007FF670A90CE4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	25_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A90CE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	26_2_00007FF670A90CE4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	26_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A864A4 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	26_2_00007FF670A864A4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A77780 FindFirstFileExW,FindClose,	26_2_00007FF670A77780
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB233229 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,00007FFE1FF9F020,FindFirstFileW,FindNextFileW,WideCharToMultiByte,	26_2_00007FFDFB233229

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 1_2_00007FFDFAE2F820 GetSystemInfo,

1_2_00007FFDFAE2F820

Source: NEVER OPEN!.exe, 00000000.00000003.1731893252.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: NEVER OPEN!.exe, 00000001.00000003.1876497591.000001F095CA0000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876718078.000001F095CAB000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1868292392.000001F095C9E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1882319970.000001F095CAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWwork%SystemRoot%\system32\mswsock.dllThe connection has been reset.

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt

Code function: 26_2_00007FFDFB23572C

26_2_00007FFDFB23572C

Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt

Code function: 26_2_00007FFDFB23572C rdtsc

26_2_00007FFDFB23572C

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 0_2_00007FF619BD9E30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF619BD9E30

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 1_2_00007FFDFAE0F920 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_00007FFDFAE0F920

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 0_2_00007FF619BE28B0 GetProcessHeap,

0_2_00007FF619BE28B0

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BD9E30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF619BD9E30
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BCB5CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF619BCB5CC
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BCAFB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF619BCAFB4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 0_2_00007FF619BCB7B0 SetUnhandledExceptionFilter,	0_2_00007FF619BCB7B0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BD9E30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF619BD9E30
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BCB5CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF619BCB5CC
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BCAFB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF619BCAFB4
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FF619BCB7B0 SetUnhandledExceptionFilter,	1_2_00007FF619BCB7B0
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Code function: 1_2_00007FFDFAFA3048 IsProcessorFeaturePresent,00007FFE1A4519C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1A4519C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFAFA3048
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A7B5CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FF670A7B5CC
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A89E30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FF670A89E30
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A7AFB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FF670A7AFB4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 25_2_00007FF670A7B7B0 SetUnhandledExceptionFilter,	25_2_00007FF670A7B7B0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A7B5CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00007FF670A7B5CC
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A89E30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00007FF670A89E30
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A7AFB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	26_2_00007FF670A7AFB4
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FF670A7B7B0 SetUnhandledExceptionFilter,	26_2_00007FF670A7B7B0
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB113048 IsProcessorFeaturePresent,00007FFE1A4519C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1A4519C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00007FFDFB113048
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Code function: 26_2_00007FFDFB235A1F IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_00007FFDFB235A1F

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Users\user\Desktop\NEVER OPEN!.exe "C:\Users\user\Desktop\NEVER OPEN!.exe"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\user\AppData\Roaming\empyrean\run.bat /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Users\user\AppData\Roaming\empyrean\dat.txt C:\Users\user\AppData\Roaming\empyrean\dat.txt
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 0_2_00007FF619BE88D0 cpuid

0_2_00007FF619BE88D0

Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pywintypes310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pythoncom310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpufkq9fz1 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer\md.cp310-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\charset_normalizer\md__mypyc.cp310-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\Desktop\NEVER OPEN!.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEVER OPEN!.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70002\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\altgraph-0.17.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\attrs-23.1.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\pyinstaller-5.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean\dat.txt VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean\dat.txt VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442 VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442 VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442 VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442 VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean\dat.txt VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean\dat.txt VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI45442\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean\dat.txt VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean\dat.txt VolumeInformation
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	Queries volume information: C:\Users\user\AppData\Roaming\empyrean\dat.txt VolumeInformation

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 0_2_00007FF619BCB4B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF619BCB4B0

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Code function: 0_2_00007FF619BE4D48 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF619BE4D48

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: Process Memory Space: NEVER OPEN!.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: NEVER OPEN!.exe, type: SAMPLE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\empyrean\dat.txt, type: DROPPED

Yara detected Empyrean

Source: Yara match	File source: 00000020.00000002.2233150692.000001A88A4E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2151057596.0000013317E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEVER OPEN!.exe PID: 7164, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: NEVER OPEN!.exe PID: 7164, type: MEMORYSTR

Remote Access Functionality

Detected Empyrean Stealer

Source: C:\Users\user\Desktop\NEVER OPEN!.exe

File created: C:\Users\user\AppData\Roaming\empyrean\dat.txt

Jump to behavior

Yara detected Discord Token Stealer

Source: Yara match	File source: Process Memory Space: NEVER OPEN!.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: NEVER OPEN!.exe, type: SAMPLE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\empyrean\dat.txt, type: DROPPED

Yara detected Empyrean

Source: Yara match	File source: 00000020.00000002.2233150692.000001A88A4E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2151057596.0000013317E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEVER OPEN!.exe PID: 7164, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: NEVER OPEN!.exe PID: 7164, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\empyrean\dat.txt

Code function: 26_2_00007FFDFB232B5D bind,WSAGetLastError,

26_2_00007FFDFB232B5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	131 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	11 Process Injection	21 Obfuscated Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	11 Software Packing	Security Account Manager	46 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	251 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
NEVER OPEN!.exe	58%	ReversingLabs	Win64.Trojan.Disco
NEVER OPEN!.exe	100%	Avira	HEUR/AGEN.1358353
NEVER OPEN!.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_Salsa20.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_chacha20.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_BLAKE2b.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imaging.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingcms.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingft.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_imagingtk.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\PIL\_webp.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_hashlib.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\_win32sysloader.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_helpers.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_http_parser.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_http_writer.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\aiohttp\_websocket.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\charset_normalizer\md.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\frozenlist\_frozenlist.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\multidict\_multidict.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\propcache\_helpers_c.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\python310.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\pythoncom310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\pywintypes310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\sqlite3.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\win32api.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\win32com\shell\shell.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\win32crypt.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\win32trace.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI2802\win32ui.pyd	25%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\_MEI2802\yarl\_quoting_c.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_Salsa20.pyd	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI45442\Crypto\Cipher\_chacha20.pyd	4%	ReversingLabs

Source	Detection	Scanner	Label
https://i.imgu	0%	Avira URL Cloud	safe
https://www.pyinstaller.org/	0%	Avira URL Cloud	safe
http://repository.swisssign.com/7	0%	Avira URL Cloud	safe
http://ocsp.accv.ese	0%	Avira URL Cloud	safe
http://timgolden.me.uk/python/wmi.htmlread	0%	Avira URL Cloud	safe
https://peps.python.org/pep-0681/)	0%	Avira URL Cloud	safe
https://pyinstaller.readthedocs.io/en/v5.0.1/CHANGES.html	0%	Avira URL Cloud	safe
https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa	0%	Avira URL Cloud	safe
http://repository.swisssign.com/U	0%	Avira URL Cloud	safe
https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing	0%	Avira URL Cloud	safe
https://127.0.0.1:8443	0%	Avira URL Cloud	safe
https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization).	0%	Avira URL Cloud	safe
https://pygments.org/docs/styles/#getting-a-list-of-available-styles).	0%	Avira URL Cloud	safe
http://packages.python.org/altgraph	0%	Avira URL Cloud	safe
https://docs.aiohttp.org/en/stable	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipapi.co	104.26.9.44	true	false	high
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
discord.com	162.159.137.232	true	false	high
www.cloudflare.com	104.16.124.96	true	false	high
raw.githubusercontent.com	185.199.110.133	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://discord.com/channels/	NEVER OPEN!.exe, 00000001.00000002.1893994482.000001F0980D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://i.imgu	NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F098584000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/giampaolo/psutil/issues/875.	NEVER OPEN!.exe, 00000001.00000002.1889881614.000001F096BA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/251	NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1747162433.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1085)	NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl0	NEVER OPEN!.exe, 00000001.00000003.1869260303.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863855088.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869038207.000001F09779D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1859519257.000001F09779D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889252951.000001F09668A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i.scdn.co/image/	NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/developers/applications/	NEVER OPEN!.exe, 00000001.00000002.1890308306.000001F0970F0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/aio-libs/aiohttp/discussions/6044	NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://python.org	NEVER OPEN!.exe, 00000001.00000002.1893515704.000001F097C40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://python.org/dev/peps/pep-0263/	NEVER OPEN!.exe, 00000001.00000002.1898577877.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	NEVER OPEN!.exe, 00000001.00000003.1737866877.000001F093927000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870519237.000001F093913000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1879447015.000001F093915000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093927000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/sponsors/hynek	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/api/v	NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/7	NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866464509.000001F0976B1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892598384.000001F0976B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://timgolden.me.uk/python/wmi.htmlread	NEVER OPEN!.exe, 00000001.00000002.1894215353.000001F0982D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.pyinstaller.org/	NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipapi.co/ip/	NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php	NEVER OPEN!.exe, 00000001.00000003.1869811293.000001F0964B7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875247294.000001F0964C3000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871028242.000001F0964C1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/FilePreviews.svg	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.msn.com	NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F0996D4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1792420967.000001F097770000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871513780.000001F096512000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1887451073.000001F096536000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/136	NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl	NEVER OPEN!.exe, 00000001.00000002.1889881614.000001F096BA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877031715.000001F09662C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889135569.000001F09662C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891393968.000001F097504000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	NEVER OPEN!.exe, 00000001.00000002.1890206695.000001F096FF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	NEVER OPEN!.exe, 00000001.00000002.1890308306.000001F0970F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/U	NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es/legislacion_c.htmz1	NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890462247.000001F097216000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/oauth2/authorize?client_id=	NEVER OPEN!.exe, 00000001.00000002.1893776235.000001F097EC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://zopeinterface.readthedocs.io/en/latest/	NEVER OPEN!.exe, 00000001.00000002.1883414803.000001F095E2A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1746818736.000001F095E27000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869759132.000001F095E27000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1748289517.000001F095E27000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/python-attrs/attrs/main/.github/sponsors/Tidelift.svg	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/cdn-cgi/tracep8B	NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3	NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888632190.000001F0965A4000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2	NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888632190.000001F0965A4000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	NEVER OPEN!.exe, 00000001.00000003.1869260303.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863855088.000001F096684000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1788868906.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1889252951.000001F09668A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	NEVER OPEN!.exe, 00000001.00000003.1737866877.000001F093927000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870519237.000001F093913000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1879447015.000001F093915000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1738161329.000001F093927000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/	NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/microsoft/pyright/)).	NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://filepreviews.io/	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	NEVER OPEN!.exe, 00000001.00000003.1874217754.000001F095D70000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1875606707.000001F095DA1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870689292.000001F095922000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867207825.000001F09591C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1869627513.000001F095D5F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877251993.000001F095DAB000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876866086.000001F095DA7000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1881418163.000001F095923000.00000004.00000020.00020000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0681/)	NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bbc.co.uk/	NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wiki.debian.org/XDGBaseDirectorySpecification#state	NEVER OPEN!.exe, 00000001.00000002.1880785392.000001F095840000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=referral&utm_campa	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bugzilla.mo	NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crlfts3	NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097719000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795276580.000001F097677000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866436381.000001F097716000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795396100.000001F09767F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873103669.000001F095D16000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891810964.000001F0975A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	NEVER OPEN!.exe, 00000001.00000002.1890102466.000001F096EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1084)	NEVER OPEN!.exe, 00000000.00000003.1728423649.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663E07000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/changelog.html	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.aiohttp.org/en/stable/client_advanced.html#client-tracing	NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874305117.000001F0974F9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863985982.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.variomedia.de/	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crlex	NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	NEVER OPEN!.exe, 00000001.00000003.1873581283.000001F097495000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874932917.000001F0974B0000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888533425.000001F096587000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873103669.000001F095D16000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891810964.000001F0975A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890462247.000001F097216000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865696051.000001F095D0D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795348868.000001F097645000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890431124.000001F097203000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871513780.000001F096512000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1887451073.000001F096536000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/ronaldoussoren/altgraph	NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876188142.000001F0965AC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888675099.000001F0965AD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crldex	NEVER OPEN!.exe, 00000001.00000003.1864747713.000001F097602000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866412775.000001F097626000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866338256.000001F097610000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863122925.000001F0975EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/cdn-cgi/trace	NEVER OPEN!.exe, 00000001.00000002.1894340923.000001F0983D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com/ajax/libs/firacode/6.2.0/woff/FiraCode-Regular.woff	NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyinstaller/pyinstaller	NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/ronaldoussoren/altgraph/issues	NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pyinstaller.readthedocs.io/en/v5.0.1/CHANGES.html	NEVER OPEN!.exe, 00000000.00000003.1733101901.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.accv.ese	NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097719000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795276580.000001F097677000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795108227.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866436381.000001F097716000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795396100.000001F09767F000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1776290730.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F09763E000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795186531.000001F097663000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F09763E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://127.0.0.1:8443	NEVER OPEN!.exe, 00000001.00000003.1867399628.000001F0963D9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874724322.000001F096584000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867569214.000001F096409000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1867285529.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F0963D8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866887734.000001F096510000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1888632190.000001F0965A4000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1872449458.000001F096566000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1876289881.000001F0965A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1873753770.000001F09656C000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	NEVER OPEN!.exe, 00000001.00000003.1872946214.000001F0971F1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795276580.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795331629.000001F0976B1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972FC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1788868906.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1865464973.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1866464509.000001F0976B1000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1780149602.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766273937.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1890462247.000001F097216000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1793423772.000001F0976A2000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1892598384.000001F0976B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://packages.python.org/altgraph	NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/re.html#re.sub	NEVER OPEN!.exe, 00000001.00000003.1743000479.000001F096335000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1881898101.000001F095B40000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1743000479.000001F0962F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	NEVER OPEN!.exe, 00000001.00000003.1795042561.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874305117.000001F0974F9000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874681025.000001F097500000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1863985982.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766790298.000001F0974DC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891271962.000001F0974EF000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1891393968.000001F097504000.00000004.00000020.00020000.00000000.sdmp	false		high
https://open.spotify.com/track/	NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F0996D4000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099628000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1792420967.000001F097770000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.aiohttp.org/en/stable	NEVER OPEN!.exe, 00000001.00000002.1890619309.000001F0972FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gist.github.com/XVilka/8346728	NEVER OPEN!.exe, 00000001.00000002.1885338288.000001F096412000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	NEVER OPEN!.exe, 00000001.00000002.1892734894.000001F097770000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1795006849.000001F097608000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1794679097.000001F0975C8000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F099640000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F0996E8000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1792420967.000001F097770000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/addi00000/empyrean-injection/main/obfuscated.js	NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F09858C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	NEVER OPEN!.exe, 00000000.00000003.1720631750.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	NEVER OPEN!.exe, 00000001.00000003.1875330985.000001F097460000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1877208570.000001F097472000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1766457914.000001F097363000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1874148217.000001F097453000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Rapptz/discord.py	NEVER OPEN!.exe, 00000001.00000002.1893884891.000001F097FD0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pyparsing/pyparsing/wiki	NEVER OPEN!.exe, 00000001.00000002.1884428139.000001F0962C9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.zhihu.com/	NEVER OPEN!.exe, 00000001.00000002.1894453507.000001F0985C0000.00000004.00001000.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1894904086.000001F09967C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pypi.python.org/pypi/sphinx	NEVER OPEN!.exe, 00000000.00000003.1727627941.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pygments.org/docs/styles/#getting-a-list-of-available-styles).	NEVER OPEN!.exe, 00000001.00000003.1870753414.000001F09654A000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1871824181.000001F096535000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization).	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.attrs.org/en/stable/changelog.html)	NEVER OPEN!.exe, 00000000.00000003.1728329882.0000027663DF9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/library/itertools.html#recipes	NEVER OPEN!.exe, 00000001.00000003.1746818736.000001F095D1D000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000003.1748289517.000001F095DAC000.00000004.00000020.00020000.00000000.sdmp, NEVER OPEN!.exe, 00000001.00000002.1883696004.000001F095E40000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.137.232	discord.com	United States	13335	CLOUDFLARENETUS	false
185.199.110.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
104.26.9.44	ipapi.co	United States	13335	CLOUDFLARENETUS	false
104.16.124.96	www.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556387
Start date and time:	2024-11-15 10:47:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	54
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NEVER OPEN!.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@78/365@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 74% Number of executed functions: 116 Number of non-executed functions: 193
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.95.31.18, 13.85.23.206
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: NEVER OPEN!.exe

Simulations

Behavior and APIs

Time	Type	Description
04:48:13	API Interceptor	9x Sleep call for process: WMIC.exe modified
09:48:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run empyrean C:\Users\user\AppData\Roaming\empyrean\run.bat
09:48:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run empyrean C:\Users\user\AppData\Roaming\empyrean\run.bat

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.137.232	YDW0S5K7hi.exe	Get hash	malicious	SilverRat	Browse
	Xyq6rvzLJs.exe	Get hash	malicious	SilverRat	Browse
	CFuejz2dRu.exe	Get hash	malicious	Discord Token Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	570ZenR882.exe	Get hash	malicious	Unknown	Browse
	Ff0ZjqSI9Y.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.3620.22364.exe	Get hash	malicious	Unknown	Browse
	EUOgPjsBTC.exe	Get hash	malicious	Unknown	Browse
	webhook.ps1	Get hash	malicious	Unknown	Browse
185.199.110.133	sys_upd.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt
104.26.9.44	http://finnewsafrica.com	Get hash	malicious	Unknown	Browse	ipapi.co/jsonp/?callback=__geoJSONPCallback

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	HeilHitler.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	file.exe	Get hash	malicious	CStealer	Browse	162.159.138.232
	B78DGDwttv.exe	Get hash	malicious	SilverRat	Browse	162.159.135.232
	YDW0S5K7hi.exe	Get hash	malicious	SilverRat	Browse	162.159.137.232
	cDRgXaadjD.exe	Get hash	malicious	SilverRat	Browse	162.159.128.233
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse	162.159.128.233
	Xyq6rvzLJs.exe	Get hash	malicious	SilverRat	Browse	162.159.137.232
	00514DIRyT.exe	Get hash	malicious	GO Stealer	Browse	162.159.136.232
	yuki.exe	Get hash	malicious	Luna Stealer	Browse	162.159.138.232
	CFuejz2dRu.exe	Get hash	malicious	Discord Token Stealer	Browse	162.159.135.232
www.cloudflare.com	NewVoicemail - +1 392 504 7XXX00-33Rebecca.silvaTranscript.html	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://sos-at-vie-1.exo.io/bucketrack/dir62/final/prove-not-robot-check.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.16.123.96
	Invitation Letter from Ministry of Defence China.html	Get hash	malicious	HTMLPhisher	Browse	104.16.124.96
	https://sv-management.solarflevoland.nl/wix	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://support-facebook.kb.help/your-facebook-account-has-been-restricted/	Get hash	malicious	HTMLPhisher	Browse	104.16.124.96
	https://krtra.com/t/vOPRDbTNH5dT	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	http://go.wafykoe.com/0nbe	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	http://mailsystem.clubreadymail.com/ls/click?upn=u001.dtlwkBC06DNvwxOIDozee7JfaEFoikK29eANg7C1JNJcXhZ5gVX-2FXngetD1DVBofJAdCxJYPz79KkHjQ4a88CWk3uwk0LHTd-2BQuqz7QlX5FT8W9oRLmLCtzSTX4k0IZqtxXd_tqQENWc9xFqnCCp3iHBun6Ny8Hr4S4LXflP5eWCRCPqMvoWfGV9u-2FwKqzOzsMAx2mMZTD10t6F-2Fa-2BzGZBzV05lc-2BTr9aqg9-2BqytIbVadpFenaHQ0v-2BIdTTiMe-2F-2BfHHsBDK3wAuPgwhtkcw4b5gAaeO6jGph7EzccXK6qZ9q3RXZcEXV8nVUtJyrcSCDmB-2Bn3qJnRr0-2BMlZvtkB3QnuJkj-2BigNgcTK7oh9PPlXl-2FakX6q-2BsTqF4DIEpeEYAXLd3sT	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fonedrive.live.com%2Fredir%3Fresid%3DA2C259BD24DEB977%25211517%26authkey%3D%2521AMV6sdjMIZf95vs%26page%3DView%26wd%3Dtarget%2528Quick%2520Notes.one%257C8266a05f-045a-4cc0-bddc-4debc90069bb%252FNotera%2520H6TYD9J4rDFDFECZC-HUYW%257Ca949d04d-b4e2-4509-b99f-d04546199b7b%252F%2529%26wdorigin%3DNavigationUrl&id=71de&rcpt=johan.brandt@skolverket.se&tss=1729830791&msgid=2d0ccdeb-928a-11ef-8a2e-0050569b0508&html=1&h=008c08c0	Get hash	malicious	Unknown	Browse	104.16.123.96
	https://onlinepdf-qrsharedfile.com/index.html#XYW5uaWUua3lwcmlhbm91QGxjYXR0ZXJ0b24uY29t	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
ipapi.co	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	104.26.8.44
	Hess-INV87796-9_588115125.doc	Get hash	malicious	Unknown	Browse	172.67.69.226
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	104.26.8.44
	Steelcase Series 1 Sustainable Office Chair _ Steelcase.html	Get hash	malicious	Unknown	Browse	172.67.74.51
	https://pub-6838e3dd185d4df89d3bb3eabe6469a4.r2.dev/index.html#	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para);	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://pub-75eadb7757ac4bf2ab3de7c52d2a4895.r2.dev/index.html#'+tFjvjBPh,document%5B'body'%5D%5B'appendChild'%5D(para)	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	https://ipfs.io/ipfs/QmNRd2YnNadczqweR7UkjNBG3cvGj4th37n2oBP7ZKKPD8#test@kghm.com	Get hash	malicious	HTMLPhisher	Browse	172.67.69.226
bg.microsoft.map.fastly.net	HeilHitler.exe	Get hash	malicious	Blank Grabber	Browse	199.232.214.172
	https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.google.es%2Furl%3Fq%3Dquerydvj3%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253Dquery%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253Dquery%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253Dquery%28spellCorrectionEnabled%253Atrue%252CrecentSearchParam%253A%28id%253A3891228890%252CdoLogHistory%253Atrue%29%252Cfilters%253AList%28%28type%253AREGION%252Cvalues%253AList%28%28id%253A103644278%252Ctext%253AUnited%252520States%252CselectionType%253AINCLUDED%29%29%29%29%252Ckeywords%253Aremote%29%26sessionId%3D5NTcRf4wT3OOZdAOuNu6%252FQ%253D%253D%26sa%3Dt%26url%3Damp%252fsafrareal.com.br%252fyoya%252fcwvw6vvf1g5bqgkdfsxdiiczthvxp3de8xxbs%2FcG1lQGZlZGVnYXJpYXNpYS5jb20%3D%24%3F&e=24a2acfd&h=70c4a2f4&f=n&p=y	Get hash	malicious	Unknown	Browse	199.232.214.172
	dekont_7083037 T#U00dcRK#U0130YE HALK BANKASI A.#U015e pdf .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	5z3Wzl6uag.js	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://kunnskapsfilm.no	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.google.es/url?q=queryrp18(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fpreview.adope.jp%2fod%2f8gqnmo6zgfuuc6sej4k7rfdswihr8l%2fZnJhbnMuZW5nZWxicmVjaHRAYXJkYWdoZ3JvdXAuY29t$?	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.payceconsultings.com/#choonghoon.kim@hyundaielevator.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://tvdseo.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.google.ch/url?sa=https://r20.rs6.net/tns.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/afrotech2023.com%2Fdhj%2F4298727249/bmljay5zcHVybG9ja0BsZWcud2EuZ292	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.google.com/url?sa=https://r20.rs6.net/tnt.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/%73%61%66%65%74%79%77%6F%72%6B%73%6F%6C%75%74%69%6F%6E%73%2E%63%6F%6D%2F%73%78%7A%70%2F7220292368/am9lLm5ndXllbkBsZWcud2EuZ292	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	HeilHitler.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Email_sending_restriction_[sebastien.morel!](#HOHSM).html	Get hash	malicious	Unknown	Browse	172.67.151.164
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	9RM52QaURq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	HZ1BUCfTne.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	9RM52QaURq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	bv2DbIiZeK.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	brozer.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	NewVoicemail - +1 392 504 7XXX00-33Rebecca.silvaTranscript.html	Get hash	malicious	Unknown	Browse	104.16.123.96
CLOUDFLARENETUS	HeilHitler.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Email_sending_restriction_[sebastien.morel!](#HOHSM).html	Get hash	malicious	Unknown	Browse	172.67.151.164
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	9RM52QaURq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	HZ1BUCfTne.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	9RM52QaURq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	bv2DbIiZeK.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	brozer.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	NewVoicemail - +1 392 504 7XXX00-33Rebecca.silvaTranscript.html	Get hash	malicious	Unknown	Browse	104.16.123.96
FASTLYUS	NewVoicemail - +1 392 504 7XXX00-33Rebecca.silvaTranscript.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://pxc.etemenonfor.com/lyKCxL5/#Ipoeschl@poeschl-tobacco.de	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://www.google.es/url?q=queryrp18(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3Dquery(spellCorrectionEnabled%3Atrue%2CrecentSearchParam%3A(id%3A3891228890%2CdoLogHistory%3Atrue)%2Cfilters%3AList((type%3AREGION%2Cvalues%3AList((id%3A103644278%2Ctext%3AUnited%2520States%2CselectionType%3AINCLUDED))))%2Ckeywords%3Aremote)&sessionId=5NTcRf4wT3OOZdAOuNu6%2FQ%3D%3D&sa=t&url=amp%2fpreview.adope.jp%2fod%2f8gqnmo6zgfuuc6sej4k7rfdswihr8l%2fZnJhbnMuZW5nZWxicmVjaHRAYXJkYWdoZ3JvdXAuY29t$?	Get hash	malicious	Unknown	Browse	151.101.194.137
	Request_for_Title_Commitment.html	Get hash	malicious	Unknown	Browse	151.101.66.137
	Mark Qualman.zip	Get hash	malicious	Unknown	Browse	151.101.193.91
	https://www.drawnames.com/wishlist/edit/D0gYBJzjFoJ7rv0HFu_iKQ-/JAvmRE-y4vYaeZ2GN316lg-	Get hash	malicious	Unknown	Browse	151.101.1.16
	http://www.drawnames.com/wishlist/add/GeoZyywvK48h1oNNizPuIQ-/W47fz4Y7Ik4eooK-94HN8w-	Get hash	malicious	Unknown	Browse	151.101.66.132
	https://linklock.titanhq.com/analyse?url=https%3A%2F%2Fmyarrowleaf1-my.sharepoint.com%2F%3Af%3A%2Fg%2Fpersonal%2Fmarge_penrod_myarrowleaf_org%2FElQV40bjfBZKivPSKIPxGuYBa20TAVuQG9ya4YrQRKjHiQ%3Fe%3D7nML8f&data=eJxVzctugzAQBdCvMbtGBqOkWXhBlOYhUiW0VaR0gyZgGyL80Ng05e8L6aaVZlZz7p2Kz5PlPI1BxBQqFtW8qkF14P2ssjrSfEEPxukjHONsHXlusRboSUrN_aG0VA-IPFyxVU0QOB7_dfS8CcF5wjKSbMbRAyDaeydAxk96mPkGUDjbmjDxybBM_mo1rhv_WQPdlARUonTCoK3LPzWlxUm-dMU5pdebXH3m7dfpPd-fvrf9ZQUJ_cjOfbFdDpBesHjLb7u2IGwjCFsvzOvhWf4A0NhYxQ%25%25	Get hash	malicious	Unknown	Browse	151.101.2.137
	Request_for_Title_Commitment.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://www.drawnames.com/wishlist/draw/GeoZyywvK48h1oNNizPuIQ-/W47fz4Y7Ik4eooK-94HN8w-/4	Get hash	malicious	Unknown	Browse	151.101.65.16
CLOUDFLARENETUS	HeilHitler.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	Email_sending_restriction_[sebastien.morel!](#HOHSM).html	Get hash	malicious	Unknown	Browse	172.67.151.164
	ArenaWarsSetup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	9RM52QaURq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	HZ1BUCfTne.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	9RM52QaURq.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	bv2DbIiZeK.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	brozer.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	NewVoicemail - +1 392 504 7XXX00-33Rebecca.silvaTranscript.html	Get hash	malicious	Unknown	Browse	104.16.123.96

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_ARC4.pyd	Bootstrapper V1.19.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse
	VXLauncher.exe	Get hash	malicious	Empyrean, Discord Token Stealer	Browse
	LisectAVT_2403002A_210.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse
	Restortion.clinic.exe	Get hash	malicious	Empyrean, Discord Token Stealer	Browse
	0x000700000001ac52-36.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse
	8Zi7xnKKw7.exe	Get hash	malicious	Python Stealer, DCRat, Discord Token Stealer, Empyrean	Browse
	J54GP6x3r4.exe	Get hash	malicious	DCRat, Discord Token Stealer, Empyrean	Browse
	Bypass1.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, Empyrean	Browse
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, Empyrean	Browse
	DiscordOptimizer__v1.1.8.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, Empyrean	Browse

Process:	C:\Users\user\AppData\Roaming\empyrean\dat.txt
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	6.791071822964766
Encrypted:	false
SSDEEP:	192:d519kKsPOR3drvDtDvIqEk7KzmYMJHFKHkyUxaVXFaLuH2:d57kKsWR3RvDtDvIqFmdwQHnUxaVXALX
MD5:	D9F2264898AAAA9EF6152A1414883D0F
SHA1:	E0661549D6BF59FFDA98FCCC00756F44CAF02228
SHA-256:	836CBA3B83B00427430FE6E1C4E45790616BC85C57DBD6E6D5B6930A9745B715
SHA-512:	BA033BAF7C3B93BBF8FCE4F24BC37930D6CE419EE3F517D2BC9702417E821F5FDA5FB9334A08B37FED55B3B9535CD194A3B79DD70653D1F8C4C0DD906EBF1B04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Bootstrapper V1.19.exe, Detection: malicious, Browse Filename: VXLauncher.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_210.exe, Detection: malicious, Browse Filename: Restortion.clinic.exe, Detection: malicious, Browse Filename: 0x000700000001ac52-36.exe, Detection: malicious, Browse Filename: 8Zi7xnKKw7.exe, Detection: malicious, Browse Filename: J54GP6x3r4.exe, Detection: malicious, Browse Filename: Bypass1.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: DiscordOptimizer__v1.1.8.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&...H...H...H......H..I...H..I...H...I...H..M...H..L...H..K...H...@...H...H...H.......H...J...H.Rich..H.........................PE..d...ba.c.........." ...". .......p........................................................`.........................................L..........\............@........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................"..............@......................................................................................................................................................................................................................................................................................................................................................3.96.UPX!.$..

Process:	C:\Users\user\Desktop\NEVER OPEN!.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	6.791071822964766
Encrypted:	false
SSDEEP:	192:d519kKsPOR3drvDtDvIqEk7KzmYMJHFKHkyUxaVXFaLuH2:d57kKsWR3RvDtDvIqFmdwQHnUxaVXALX
MD5:	D9F2264898AAAA9EF6152A1414883D0F
SHA1:	E0661549D6BF59FFDA98FCCC00756F44CAF02228
SHA-256:	836CBA3B83B00427430FE6E1C4E45790616BC85C57DBD6E6D5B6930A9745B715
SHA-512:	BA033BAF7C3B93BBF8FCE4F24BC37930D6CE419EE3F517D2BC9702417E821F5FDA5FB9334A08B37FED55B3B9535CD194A3B79DD70653D1F8C4C0DD906EBF1B04
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&...H...H...H......H..I...H..I...H...I...H..M...H..L...H..K...H...@...H...H...H.......H...J...H.Rich..H.........................PE..d...ba.c.........." ...". .......p........................................................`.........................................L..........\............@........................................................@...........................................UPX0.....p..............................UPX1..... ..........................@....rsrc................"..............@......................................................................................................................................................................................................................................................................................................................................................3.96.UPX!.$..

Process:	C:\Windows\System32\reg.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.237326145256008
Encrypted:	false
SSDEEP:	3:bqX4LxGT82AGN8cyn:bqX4E8NGN8Rn
MD5:	13015015DD907D28996153DF14881252
SHA1:	532C595BAAE0A027D02D1B28D7B83D57350A310E
SHA-256:	4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B
SHA-512:	B81FB62AB27E7722BFCB386766FFA1D1EBA05B8B03CD5D2160BB2570F87568381D923AC75017D785E1DEC1685769023727F4280E27C2A69CDE69772CA62E2A92
Malicious:	false
Preview:	The operation completed successfully....

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.997981196444236
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NEVER OPEN!.exe
File size:	18'752'296 bytes
MD5:	61b5a3066bcf661f69b9e362ef1a1f8c
SHA1:	bc6701f2a76cb5db3ea27371240b7e295382d29c
SHA256:	2949df50691624e3a64635fbf690527e245d5c83dd3bd8f000f34447a6386ba2
SHA512:	641aacd33f4d73f5d488d1799159832b423c0025b9916ac3c5a484b57fa4da1ce270d7cc5f7d428ab03d1aa9791995a86af496f68417612a55bb5ad6e06b14b0
SSDEEP:	393216:dqPnLFXlrzQMDOETgsvfGjg+lPvEny38cdwAqo:kPLFXNzQRECJlUFc8o
TLSH:	561733F0625809A6E8E6553E5C0F8C6B0177FD4623A4DCCE83B099388FA37556D7AF90
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................@.......@...-...@.........H.............................@...............................Rich............PE..d..

Entrypoint:	0x14000afa0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x673658CD [Thu Nov 14 20:08:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1e92fd54d65284238a0e3b74b2715062

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ba24	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0xf498	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20a0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x62000	0x754	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x393e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x392a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x418	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28710	0x28800	e4f89af1ba6511882cb4cd14d9f6eca0	False	0.5585214120370371	data	6.48667752666415	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x1282e	0x12a00	29cfdb771ac5a0e8dad7691c1dab8e10	False	0.5137111996644296	data	5.813033106784007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103e8	0xe00	8197d15b5af8fff7ec6022f8809b64c8	False	0.13058035714285715	data	1.801142684063006	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20a0	0x2200	77e2f2d72516a8aa1832e8298e54381f	False	0.47598805147058826	data	5.325748796775067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	0ed86077474ad8a4a0621ecbc29cb84c	False	0.38671875	data	2.757915683398695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0xf498	0xf600	ac8c7cbe6626a5ff9e2bb1338d967035	False	0.8035759654471545	data	7.555572206814068	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x62000	0x754	0x800	7fed9a3addc55d51107d5af5a380ab8e	False	0.5439453125	data	5.239333644236171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x52208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x530b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x53958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x53ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x5d3ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x5f994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x60a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x60ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x60f0c	0x589	XML 1.0 document, ASCII text, with CRLF line terminators	0.4453069865913903

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	IsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetCPInfo, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, GetEnvironmentVariableW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 10:48:08.439357042 CET	49731	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:08.439450979 CET	443	49731	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:08.439528942 CET	49731	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:08.528796911 CET	49731	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:08.528883934 CET	443	49731	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:09.289207935 CET	443	49731	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:09.289699078 CET	49731	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:09.289748907 CET	443	49731	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:09.291917086 CET	443	49731	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:09.292032957 CET	49731	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:09.292531967 CET	49731	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:09.292671919 CET	49731	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:09.513334990 CET	49732	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:09.513370991 CET	443	49732	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:09.513870955 CET	49732	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:09.530512094 CET	49732	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:09.530534029 CET	443	49732	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:10.169418097 CET	443	49732	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:10.169893026 CET	49732	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:10.169914007 CET	443	49732	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:10.171372890 CET	443	49732	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:10.171447992 CET	49732	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:10.172060966 CET	49732	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:10.172218084 CET	49732	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:12.249712944 CET	49733	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:12.249809980 CET	443	49733	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:12.249898911 CET	49733	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:12.260857105 CET	49733	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:12.260895014 CET	443	49733	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:12.873447895 CET	443	49733	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:12.873783112 CET	49733	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:12.873816967 CET	443	49733	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:12.875282049 CET	443	49733	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:12.875343084 CET	49733	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:12.875802040 CET	49733	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:12.875916004 CET	49733	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:17.643629074 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:17.643675089 CET	443	49735	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:17.643851995 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:17.657783985 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:17.657795906 CET	443	49735	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:18.264971018 CET	443	49735	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:18.265836954 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:18.265862942 CET	443	49735	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:18.267255068 CET	443	49735	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:18.267371893 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:18.268106937 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:18.268332005 CET	443	49735	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:18.268593073 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:18.268814087 CET	49735	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:31.102101088 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:31.102155924 CET	443	49742	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:31.102247953 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:31.114285946 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:31.114300966 CET	443	49742	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:31.844444990 CET	443	49742	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:31.857414007 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:31.857487917 CET	443	49742	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:31.858689070 CET	443	49742	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:31.858773947 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:31.859812021 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:31.860008955 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:31.860012054 CET	443	49742	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:31.860094070 CET	49742	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:32.590434074 CET	49743	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:32.590490103 CET	443	49743	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:32.590624094 CET	49743	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:32.609607935 CET	49743	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:32.609646082 CET	443	49743	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:33.229218006 CET	443	49743	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:33.229640961 CET	49743	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:33.229674101 CET	443	49743	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:33.232901096 CET	443	49743	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:33.232978106 CET	49743	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:33.233428955 CET	49743	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:33.233589888 CET	49743	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:35.899167061 CET	49744	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:35.899238110 CET	443	49744	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:35.899321079 CET	49744	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:35.909529924 CET	49744	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:35.909555912 CET	443	49744	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:36.716387033 CET	443	49744	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:36.716882944 CET	49744	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:36.716916084 CET	443	49744	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:36.720546007 CET	443	49744	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:36.720628977 CET	49744	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:36.721225977 CET	49744	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:36.721431017 CET	49744	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:41.430165052 CET	49746	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:41.430205107 CET	443	49746	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:41.430326939 CET	49746	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:41.448781013 CET	49746	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:41.448798895 CET	443	49746	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:42.187714100 CET	443	49746	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:42.188215971 CET	49746	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:42.188251019 CET	443	49746	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:42.189769030 CET	443	49746	104.26.9.44	192.168.2.4
Nov 15, 2024 10:48:42.189843893 CET	49746	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:42.198266029 CET	49746	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:42.198482037 CET	49746	443	192.168.2.4	104.26.9.44
Nov 15, 2024 10:48:42.264038086 CET	49747	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:42.264097929 CET	443	49747	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:42.264162064 CET	49747	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:42.276490927 CET	49747	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:42.276521921 CET	443	49747	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:42.922631025 CET	443	49747	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:42.923352957 CET	49747	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:42.923417091 CET	443	49747	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:42.924932003 CET	443	49747	162.159.137.232	192.168.2.4
Nov 15, 2024 10:48:42.925005913 CET	49747	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:42.925434113 CET	49747	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:42.925582886 CET	49747	443	192.168.2.4	162.159.137.232
Nov 15, 2024 10:48:43.285465956 CET	49748	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:43.285507917 CET	443	49748	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:43.287091017 CET	49748	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:43.297801018 CET	49748	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:43.297827005 CET	443	49748	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:43.917821884 CET	443	49748	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:43.918669939 CET	49748	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:43.918689013 CET	443	49748	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:43.922262907 CET	443	49748	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:43.922338963 CET	49748	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:43.923051119 CET	49748	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:43.923051119 CET	49748	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:46.289957047 CET	49749	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:46.290067911 CET	443	49749	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:46.290226936 CET	49749	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:46.305861950 CET	49749	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:46.305951118 CET	443	49749	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:46.925005913 CET	443	49749	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:46.925582886 CET	49749	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:46.925643921 CET	443	49749	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:46.926687002 CET	443	49749	185.199.110.133	192.168.2.4
Nov 15, 2024 10:48:46.926789045 CET	49749	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:46.927411079 CET	49749	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:46.927536964 CET	49749	443	192.168.2.4	185.199.110.133
Nov 15, 2024 10:48:52.800990105 CET	57195	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:52.801042080 CET	443	57195	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:52.801132917 CET	57195	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:52.811853886 CET	57195	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:52.811871052 CET	443	57195	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:53.425821066 CET	443	57195	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:53.426716089 CET	57195	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:53.426743031 CET	443	57195	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:53.427753925 CET	443	57195	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:53.427815914 CET	57195	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:53.428376913 CET	57195	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:53.428512096 CET	443	57195	104.16.124.96	192.168.2.4
Nov 15, 2024 10:48:53.428528070 CET	57195	443	192.168.2.4	104.16.124.96
Nov 15, 2024 10:48:53.428561926 CET	57195	443	192.168.2.4	104.16.124.96

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 10:48:08.407689095 CET	51940	53	192.168.2.4	1.1.1.1
Nov 15, 2024 10:48:08.416260004 CET	53	51940	1.1.1.1	192.168.2.4
Nov 15, 2024 10:48:09.505464077 CET	50800	53	192.168.2.4	1.1.1.1
Nov 15, 2024 10:48:09.512577057 CET	53	50800	1.1.1.1	192.168.2.4
Nov 15, 2024 10:48:12.241525888 CET	49293	53	192.168.2.4	1.1.1.1
Nov 15, 2024 10:48:12.248785019 CET	53	49293	1.1.1.1	192.168.2.4
Nov 15, 2024 10:48:17.635457993 CET	55094	53	192.168.2.4	1.1.1.1
Nov 15, 2024 10:48:17.642698050 CET	53	55094	1.1.1.1	192.168.2.4
Nov 15, 2024 10:48:46.482528925 CET	53	52571	162.159.36.2	192.168.2.4
Nov 15, 2024 10:48:47.204001904 CET	53	58505	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	04:48:02
Start date:	15/11/2024
Path:	C:\Users\user\Desktop\NEVER OPEN!.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NEVER OPEN!.exe"
Imagebase:	0x7ff619bc0000
File size:	18'752'296 bytes
MD5 hash:	61B5A3066BCF661F69B9E362EF1A1F8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	04:48:05
Start date:	15/11/2024
Path:	C:\Users\user\Desktop\NEVER OPEN!.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\NEVER OPEN!.exe"
Imagebase:	0x7ff619bc0000
File size:	18'752'296 bytes
MD5 hash:	61B5A3066BCF661F69B9E362EF1A1F8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	04:48:06
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	04:48:12
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	04:48:14
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	17
Start time:	04:48:15
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	04:48:23
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\empyrean\run.bat" "
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	04:48:26
Start date:	15/11/2024
Path:	C:\Users\user\AppData\Roaming\empyrean\dat.txt
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\empyrean\dat.txt
Imagebase:	0x7ff670a70000
File size:	18'752'296 bytes
MD5 hash:	61B5A3066BCF661F69B9E362EF1A1F8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Empyrean, Description: Yara detected Empyrean, Source: 0000001A.00000002.2151057596.0000013317E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	27
Start time:	04:48:27
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NEVER OPEN!.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI2802\Crypto\Cipher\_raw_ecb.pyd

Windows Analysis Report
NEVER OPEN!.exe

Target ID:	29
Start time:	04:48:31
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\empyrean\run.bat" "
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	04:48:35
Start date:	15/11/2024
Path:	C:\Users\user\AppData\Roaming\empyrean\dat.txt
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\empyrean\dat.txt
Imagebase:	0x7ff670a70000
File size:	18'752'296 bytes
MD5 hash:	61B5A3066BCF661F69B9E362EF1A1F8C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Empyrean, Description: Yara detected Empyrean, Source: 00000020.00000002.2233150692.000001A88A4E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	33
Start time:	04:48:36
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	04:48:37
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	38
Start time:	04:48:38
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	41
Start time:	04:48:40
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	44
Start time:	04:48:46
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	47
Start time:	04:48:48
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	50
Start time:	04:48:50
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff676be0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	52