Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:	download.ps1
Analysis ID:	1571247
MD5:	e9b2e27454fc1326cdb24bfc3b55b236
SHA1:	3416a2cbba0a6c1e4e8f33f671dfea5e5aacc3f8
SHA256:	cafc0a8f8b2a71b91f6ce0768d1e27e385d14879bdd591d47adfb4e492fde5db
Tags:	KongTukeps1user-monitorsg
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Opens network shares

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

check.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe" MD5: A243FE9D1CFB5BF4E5C21C6E4861E09C)

check.exe (PID: 1132 cmdline: "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe" MD5: A243FE9D1CFB5BF4E5C21C6E4861E09C)

systeminfo.exe (PID: 7344 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3688 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1888 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 3008 cmdline: C:\Windows\system32\WerFault.exe -u -p 1132 -s 900 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

check.exe (PID: 5936 cmdline: "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe" MD5: A243FE9D1CFB5BF4E5C21C6E4861E09C)

check.exe (PID: 3104 cmdline: "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe" MD5: A243FE9D1CFB5BF4E5C21C6E4861E09C)

systeminfo.exe (PID: 4688 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5072 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5288 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 5888 cmdline: C:\Windows\system32\WerFault.exe -u -p 3104 -s 908 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

check.exe (PID: 2936 cmdline: "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe" MD5: A243FE9D1CFB5BF4E5C21C6E4861E09C)

check.exe (PID: 6132 cmdline: "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe" MD5: A243FE9D1CFB5BF4E5C21C6E4861E09C)

systeminfo.exe (PID: 5520 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7648 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1352 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 1424 cmdline: C:\Windows\system32\WerFault.exe -u -p 6132 -s 972 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7296, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7296, TargetFilename: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 7296, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://hkinuxb3bz.top/1.php?s=527

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: download.ps1

Virustotal: Detection: 10%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.6% probability

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C95DC0 CRYPTO_memcmp,	29_2_00007FF810C95DC0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C911E0 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyObject_GetBuffer,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,	29_2_00007FF810C911E0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1A23 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	29_2_00007FF810CA1A23
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CAF160 CRYPTO_free,CRYPTO_memdup,	29_2_00007FF810CAF160
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA11A9 CRYPTO_free,	29_2_00007FF810CA11A9
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1A32 CRYPTO_free,CRYPTO_memdup,ERR_new,ERR_set_debug,	29_2_00007FF810CA1A32
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CD92E0 CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,	29_2_00007FF810CD92E0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA195B CRYPTO_zalloc,EVP_MAC_free,EVP_MAC_CTX_free,CRYPTO_free,	29_2_00007FF810CA195B
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1262 X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	29_2_00007FF810CA1262
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1B90 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,	29_2_00007FF810CA1B90
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1F8C CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,	29_2_00007FF810CA1F8C
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CAD227 CRYPTO_free,CRYPTO_strdup,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,	29_2_00007FF810CAD227
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CAD3CA CRYPTO_free,	29_2_00007FF810CAD3CA
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA111D CRYPTO_zalloc,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_new,ERR_set_debug,ERR_set_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_new,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	29_2_00007FF810CA111D
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CAB300 CRYPTO_clear_free,	29_2_00007FF810CAB300
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1677 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	29_2_00007FF810CA1677
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA17F8 EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key_ex,EVP_DigestSignInit_ex,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,EVP_MD_CTX_free,EVP_PKEY_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	29_2_00007FF810CA17F8
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1992 ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_new,ERR_set_debug,ERR_set_error,CRYPTO_free,CRYPTO_strdup,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new_ex,OPENSSL_sk_num,X509_VERIFY_PARAM_new,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,RAND_priv_bytes_ex,ERR_new,ERR_set_debug,	29_2_00007FF810CA1992
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1393 CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,memcpy,	29_2_00007FF810CA1393
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1EDD CRYPTO_malloc,ERR_new,ERR_set_debug,ERR_set_error,OPENSSL_sk_find,CRYPTO_free,ERR_new,ERR_set_debug,OPENSSL_sk_push,CRYPTO_free,ERR_new,ERR_new,ERR_set_debug,ERR_set_error,	29_2_00007FF810CA1EDD
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1444 EVP_MD_CTX_new,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,EVP_MD_CTX_free,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_memcmp,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,memcpy,memcpy,	29_2_00007FF810CA1444
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA2126 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memcmp,ERR_new,ERR_set_debug,_time64,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	29_2_00007FF810CA2126
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1997 ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_decapsulate,ERR_new,ERR_new,ERR_set_debug,CRYPTO_clear_free,EVP_PKEY_CTX_free,	29_2_00007FF810CA1997
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810D1B430 ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,CRYPTO_malloc,ERR_new,ERR_set_debug,EVP_PKEY_CTX_new_from_pkey,ERR_new,ERR_set_debug,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_set_rsa_padding,OSSL_PARAM_construct_uint,OSSL_PARAM_construct_end,EVP_PKEY_CTX_set_params,EVP_PKEY_decrypt,OPENSSL_cleanse,ERR_new,ERR_new,ERR_new,ERR_set_debug,CRYPTO_free,EVP_PKEY_CTX_free,	29_2_00007FF810D1B430
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA21E9 ERR_new,ERR_set_debug,CRYPTO_free,CRYPTO_malloc,ERR_new,ERR_set_debug,memcpy,ERR_new,ERR_set_debug,	29_2_00007FF810CA21E9
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA2469 CRYPTO_memcmp,ERR_new,ERR_set_debug,memchr,ERR_new,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,ERR_new,ERR_set_debug,	29_2_00007FF810CA2469
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1181 CRYPTO_free,CRYPTO_free,CRYPTO_free,	29_2_00007FF810CA1181
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA2379 CRYPTO_free,	29_2_00007FF810CA2379

Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: check.exe, 00000009.00000003.1534307223.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: check.exe, 0000000A.00000002.1929551289.00007FF820045000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: check.exe, 0000000A.00000002.1919072539.00007FF817012000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: check.exe, 00000009.00000003.1553092763.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1934814344.00007FF8328F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000009.00000003.1519013024.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1932912138.00007FF8312D5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000009.00000003.1553493586.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: check.exe, 0000000A.00000002.1844584196.00007FF815697000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: check.exe, 0000000A.00000002.1844584196.00007FF815697000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: check.exe, 0000000A.00000002.1934058230.00007FF8328C3000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1932337346.00007FF82F996000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: check.exe, 0000000A.00000002.1922404074.00007FF8175E6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: check.exe, 0000000A.00000002.1893210919.00007FF8163DA000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933226912.00007FF8314CB000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933661076.00007FF8327DD000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1930467841.00007FF8217D9000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: check.exe, 0000000A.00000002.1926008632.00007FF817DB8000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: check.exe, 00000009.00000003.1553493586.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000009.00000003.1518870580.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1908082634.00007FF816C57000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: check.exe, 00000009.00000003.1507846068.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933483639.00007FF8327C3000.00000002.00000001.01000000.00000014.sdmp, check.exe, 0000000B.00000003.1607144680.000002576C6C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: check.exe, 0000000A.00000002.1919072539.00007FF8170AA000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: check.exe, 0000000A.00000002.1929252341.00007FF81FFA5000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: check.exe, 0000000A.00000002.1922404074.00007FF8175E6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: check.exe, 00000009.00000003.1534464385.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000009.00000003.1553092763.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1934814344.00007FF8328F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: check.exe, 0000000A.00000002.1919072539.00007FF8170AA000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1932631944.00007FF830CF3000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933226912.00007FF8314CB000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1931977826.00007FF82F683000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: check.exe, 0000000A.00000002.1869934497.00007FF815DCA000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: check.exe, 0000000A.00000002.1845027622.00007FF8157A4000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817402826.000001DB18C80000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: check.exe, 0000000A.00000002.1929252341.00007FF81FFA5000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: check.exe, 0000000A.00000002.1929858911.00007FF8217AE000.00000002.00000001.01000000.00000019.sdmp

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4C9280 FindFirstFileExW,FindClose,	9_2_00007FF61C4C9280
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	9_2_00007FF61C4C83C0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00007FF61C4E1874

Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI77842\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\	Jump to behavior

Source: Joe Sandbox View

IP Address: 104.20.22.46 104.20.22.46

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nodejs.org

Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.../back.j
Source: check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredID
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537630477.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340EC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340EC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: check.exe, 0000000A.00000002.1817265869.000001DB173A9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19A09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crle
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlI
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crld:4
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537630477.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340EC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537630477.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340EC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537630477.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: check.exe, 0000000A.00000003.1589519363.000001DB199A2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB1998F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1588922999.000001DB19A49000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: check.exe, 0000000A.00000002.1827037234.000001DB19F80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: check.exe, 0000000A.00000002.1818046790.000001DB19260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: check.exe, 0000000A.00000002.1821926701.000001DB19792000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB197AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hkinuxb3bz.top/1.php?s=527
Source: check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340EC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340EC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537630477.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: check.exe, 00000009.00000003.1559975238.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: powershell.exe, 00000005.00000002.1553618061.000001E519EBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000005.00000002.1553618061.000001E5183B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1553618061.000001E519EBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: check.exe, 0000000A.00000002.1825899036.000001DB19C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: check.exe, 0000000A.00000002.1893210919.00007FF8163DA000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19792000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/lly
Source: check.exe, 0000000A.00000002.1893210919.00007FF8163DA000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: http://www.color.org)
Source: check.exe, 00000009.00000003.1559975238.000001B4340F2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554187441.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1562411545.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1553967785.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561172890.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1559975238.000001B4340EC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000015.00000003.1807544138.0000013D4CD42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: check.exe, 0000000A.00000003.1589120882.000001DB198DC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: check.exe, 0000000A.00000002.1821926701.000001DB19973000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: check.exe, 0000000A.00000003.1589714879.000001DB1998F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589519363.000001DB199A2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB1998F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1588922999.000001DB19A49000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19973000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: powershell.exe, 00000005.00000002.1553618061.000001E5183B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: check.exe, 0000000A.00000003.1586390374.000001DB198CD000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1586442426.000001DB198AE000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: check.exe, 0000000A.00000003.1570112394.000001DB18FAE000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1570091446.000001DB19011000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817883773.000001DB19160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: check.exe, 0000000A.00000002.1817508785.000001DB18DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: check.exe, 0000000A.00000002.1817508785.000001DB18DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: check.exe, 0000000A.00000002.1821539091.000001DB19660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: check.exe, 0000000A.00000002.1817265869.000001DB173A9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: check.exe, 0000000A.00000002.1837968089.000001DB1A7C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: check.exe, 0000000A.00000002.1827037234.000001DB19F10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: check.exe, 0000000A.00000002.1817508785.000001DB18DA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: check.exe, 0000000A.00000002.1817265869.000001DB173A9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: check.exe, 0000000A.00000003.1578448364.000001DB192E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1577442083.000001DB1932C000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB19260000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1576602943.000001DB193B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: check.exe, 0000000A.00000002.1820912917.000001DB19560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: check.exe, 0000000A.00000002.1817265869.000001DB173A9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: check.exe, 0000000A.00000002.1821539091.000001DB19660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: check.exe, 0000000A.00000002.1818046790.000001DB19260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: check.exe, 0000000A.00000002.1825899036.000001DB19C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: check.exe, 0000000A.00000002.1825899036.000001DB19C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: powershell.exe, 00000005.00000002.1553618061.000001E5197B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB198DC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: check.exe, 0000000A.00000003.1589037099.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1587483493.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1585208154.000001DB19455000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: check.exe, 0000000A.00000002.1820912917.000001DB19560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip
Source: check.exe, 0000000A.00000002.1825899036.000001DB19C60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: check.exe, 0000000A.00000002.1825553124.000001DB19B60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: check.exe, 0000000A.00000003.1578448364.000001DB192E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1820377142.000001DB19460000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1566990368.000001DB18F21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: check.exe, 0000000A.00000002.1926008632.00007FF817DB8000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: check.exe, 0000000A.00000002.1827037234.000001DB19F10000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1585208154.000001DB19455000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: check.exe, 0000000A.00000002.1837968089.000001DB1A7C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: check.exe, 0000000A.00000003.1589120882.000001DB198B9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: check.exe, 0000000A.00000003.1586442426.000001DB197B0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB197AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: check.exe, 0000000A.00000002.1825553124.000001DB19B60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: check.exe, 0000000A.00000002.1825553124.000001DB19B60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: check.exe, 00000009.00000003.1510664157.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537102861.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1512237097.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1521837112.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1513043317.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1509746314.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535458758.000001B4340F1000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1514617056.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1516403898.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536720593.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1535610449.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1536427051.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: check.exe, 00000009.00000003.1561355505.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1929333303.00007FF81FFE0000.00000002.00000001.01000000.0000001B.sdmp, check.exe, 0000000A.00000002.1921185417.00007FF817154000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: check.exe, 0000000A.00000003.1589037099.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1587483493.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1585208154.000001DB19455000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: check.exe, 0000000A.00000002.1926008632.00007FF817DB8000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: check.exe, 0000000A.00000003.1589120882.000001DB198B9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB197AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB198DC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4C1000	9_2_00007FF61C4C1000
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E08C8	9_2_00007FF61C4E08C8
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E6964	9_2_00007FF61C4E6964
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4C89E0	9_2_00007FF61C4C89E0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E5C00	9_2_00007FF61C4E5C00
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D35A0	9_2_00007FF61C4D35A0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D1D54	9_2_00007FF61C4D1D54
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4DE570	9_2_00007FF61C4DE570
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E5E7C	9_2_00007FF61C4E5E7C
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D9EA0	9_2_00007FF61C4D9EA0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E9728	9_2_00007FF61C4E9728
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4DDEF0	9_2_00007FF61C4DDEF0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D8794	9_2_00007FF61C4D8794
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D1740	9_2_00007FF61C4D1740
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D1F60	9_2_00007FF61C4D1F60
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4C9800	9_2_00007FF61C4C9800
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E40AC	9_2_00007FF61C4E40AC
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E1874	9_2_00007FF61C4E1874
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D80E4	9_2_00007FF61C4D80E4
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D39A4	9_2_00007FF61C4D39A4
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D1944	9_2_00007FF61C4D1944
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D2164	9_2_00007FF61C4D2164
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4DDA5C	9_2_00007FF61C4DDA5C
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4CA2DB	9_2_00007FF61C4CA2DB
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D1B50	9_2_00007FF61C4D1B50
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D2C10	9_2_00007FF61C4D2C10
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E3C10	9_2_00007FF61C4E3C10
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E08C8	9_2_00007FF61C4E08C8
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E6418	9_2_00007FF61C4E6418
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4CACAD	9_2_00007FF61C4CACAD
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4CA474	9_2_00007FF61C4CA474
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4D5D30	9_2_00007FF61C4D5D30
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812324350	22_2_00007FF812324350
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812315527	22_2_00007FF812315527
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812323380	22_2_00007FF812323380
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812312BB0	22_2_00007FF812312BB0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812313650	22_2_00007FF812313650
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812322450	22_2_00007FF812322450
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF81231EC50	22_2_00007FF81231EC50
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812316661	22_2_00007FF812316661
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF812319810	22_2_00007FF812319810
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810B91950	29_2_00007FF810B91950
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810B92270	29_2_00007FF810B92270
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810B91300	29_2_00007FF810B91300
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C510A0	29_2_00007FF810C510A0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C43A50	29_2_00007FF810C43A50
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C4C840	29_2_00007FF810C4C840
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C911E0	29_2_00007FF810C911E0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C91E20	29_2_00007FF810C91E20
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA24DC	29_2_00007FF810CA24DC
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA17F8	29_2_00007FF810CA17F8
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA1C12	29_2_00007FF810CA1C12

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: String function: 00007FF810D1D341 appears 129 times
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: String function: 00007FF810C43880 appears 51 times
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: String function: 00007FF61C4C2710 appears 52 times
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: String function: 00007FF810C43900 appears 116 times
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: String function: 00007FF810CA1325 appears 42 times

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1132 -s 900

Source: unicodedata.pyd.9.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.9.dr	Static PE information: No import functions for PE file found
Source: python3.dll.11.dr	Static PE information: No import functions for PE file found

Source: Qt5Core.dll.9.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: Qt5Core.dll.11.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: mal80.spyw.evad.winPS1@39/433@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\oZsKAKyZ.zip

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6132
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1132
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3104

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqwutoc1.4ay.ps1

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: download.ps1

Virustotal: Detection: 10%

Source: check.exe	String found in binary or memory: <!--StartFragment-->
Source: check.exe	String found in binary or memory: <!--StartFragment-->

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1132 -s 900
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3104 -s 908
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6132 -s 972
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5core.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: msvcp140_1.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5widgets.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5gui.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5gui.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5core.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: msvcp140_1.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5widgets.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5gui.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: qt5gui.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: download.ps1

Static file information: File size 51312121 > 1048576

Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: check.exe, 00000009.00000003.1535038874.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: check.exe, 00000009.00000003.1534307223.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: check.exe, 0000000A.00000002.1929551289.00007FF820045000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: check.exe, 0000000A.00000002.1919072539.00007FF817012000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: check.exe, 00000009.00000003.1553092763.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1934814344.00007FF8328F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000009.00000003.1519013024.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1932912138.00007FF8312D5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000009.00000003.1553493586.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: check.exe, 0000000A.00000002.1844584196.00007FF815697000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: check.exe, 0000000A.00000002.1844584196.00007FF815697000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: check.exe, 0000000A.00000002.1934058230.00007FF8328C3000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: check.exe, 00000009.00000003.1554542632.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1932337346.00007FF82F996000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000009.00000003.1534706073.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000009.00000003.1534110253.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: check.exe, 0000000A.00000002.1922404074.00007FF8175E6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: check.exe, 0000000A.00000002.1893210919.00007FF8163DA000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933226912.00007FF8314CB000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: check.exe, 00000009.00000003.1553729160.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933661076.00007FF8327DD000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: check.exe, 00000009.00000003.1555003612.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1930467841.00007FF8217D9000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: check.exe, 0000000A.00000002.1926008632.00007FF817DB8000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: check.exe, 00000009.00000003.1553493586.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000009.00000003.1518870580.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: check.exe, 00000009.00000003.1537482169.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1908082634.00007FF816C57000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: check.exe, 00000009.00000003.1507846068.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933483639.00007FF8327C3000.00000002.00000001.01000000.00000014.sdmp, check.exe, 0000000B.00000003.1607144680.000002576C6C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: check.exe, 0000000A.00000002.1919072539.00007FF8170AA000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: check.exe, 0000000A.00000002.1929252341.00007FF81FFA5000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: check.exe, 0000000A.00000002.1922404074.00007FF8175E6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: check.exe, 00000009.00000003.1535266228.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: check.exe, 00000009.00000003.1534464385.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: check.exe, 00000009.00000003.1535135785.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000009.00000003.1553092763.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1934814344.00007FF8328F4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: check.exe, 0000000A.00000002.1919072539.00007FF8170AA000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: check.exe, 00000009.00000003.1534598659.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: check.exe, 00000009.00000003.1563714667.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1932631944.00007FF830CF3000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: check.exe, 00000009.00000003.1554667624.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1933226912.00007FF8314CB000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: check.exe, 00000009.00000003.1554842675.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1931977826.00007FF82F683000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: check.exe, 00000009.00000003.1558259541.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: check.exe, 0000000A.00000002.1869934497.00007FF815DCA000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: check.exe, 0000000A.00000002.1845027622.00007FF8157A4000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: check.exe, 00000009.00000003.1535458758.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: check.exe, 00000009.00000003.1561770281.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817402826.000001DB18C80000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: check.exe, 00000009.00000003.1520788673.000001B4340E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: check.exe, 0000000A.00000002.1929252341.00007FF81FFA5000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: check.exe, 0000000A.00000002.1929858911.00007FF8217AE000.00000002.00000001.01000000.00000019.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String(${random_encoded_data});[System.IO.File]::WriteAllBytes(${random_archive_file},${random_decoded_bytes});${random_new_item}=New-Item -ItemType Directory -Path ${random_install_path};tr

Source: VCRUNTIME140.dll.9.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: MSVCP140.dll.9.dr	Static PE information: section name: .didat
Source: Qt5Core.dll.9.dr	Static PE information: section name: .qtmimed
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.9.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll0.9.dr	Static PE information: section name: _RDATA
Source: opengl32sw.dll.9.dr	Static PE information: section name: _RDATA
Source: qtuiotouchplugin.dll.9.dr	Static PE information: section name: .qtmetad
Source: qsvgicon.dll.9.dr	Static PE information: section name: .qtmetad
Source: qgif.dll.9.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.9.dr	Static PE information: section name: .qtmetad
Source: qico.dll.9.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.9.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.9.dr	Static PE information: section name: .qtmetad
Source: libcrypto-3.dll.9.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.9.dr	Static PE information: section name: .00cfg
Source: python313.dll.9.dr	Static PE information: section name: PyRuntim
Source: qtga.dll.9.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.9.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.9.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.9.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.9.dr	Static PE information: section name: .qtmetad
Source: qoffscreen.dll.9.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.9.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.9.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.9.dr	Static PE information: section name: .qtmetad
Source: qwindowsvistastyle.dll.9.dr	Static PE information: section name: .qtmetad
Source: VCRUNTIME140.dll.11.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.11.dr	Static PE information: section name: _RDATA
Source: MSVCP140.dll.11.dr	Static PE information: section name: .didat
Source: Qt5Core.dll.11.dr	Static PE information: section name: .qtmimed
Source: libcrypto-3.dll.11.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.11.dr	Static PE information: section name: .00cfg
Source: VCRUNTIME140.dll0.11.dr	Static PE information: section name: _RDATA
Source: python313.dll.11.dr	Static PE information: section name: PyRuntim
Source: opengl32sw.dll.11.dr	Static PE information: section name: _RDATA
Source: qtuiotouchplugin.dll.11.dr	Static PE information: section name: .qtmetad
Source: qsvgicon.dll.11.dr	Static PE information: section name: .qtmetad
Source: qgif.dll.11.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.11.dr	Static PE information: section name: .qtmetad
Source: qico.dll.11.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.11.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.11.dr	Static PE information: section name: .qtmetad
Source: qtga.dll.11.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.11.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.11.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.11.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.11.dr	Static PE information: section name: .qtmetad
Source: qoffscreen.dll.11.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.11.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.11.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.11.dr	Static PE information: section name: .qtmetad
Source: qwindowsvistastyle.dll.11.dr	Static PE information: section name: .qtmetad

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Code function: 22_2_00007FF81231D5E4 push rbx; retn 0000h

22_2_00007FF81231D5F5

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI29362\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\QtGui.pyd	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Code function: 9_2_00007FF61C4C76C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

9_2_00007FF61C4C76C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5688			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3982			Jump to behavior

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI29362\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\QtGui.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_9-17456

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

API coverage: 0.3 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5448

Thread sleep time: -17524406870024063s >= -30000s

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4C9280 FindFirstFileExW,FindClose,	9_2_00007FF61C4C9280
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4C83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	9_2_00007FF61C4C83C0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4E1874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_00007FF61C4E1874

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI77842\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\	Jump to behavior

Source: check.exe, 00000009.00000003.1558965974.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: check.exe, 0000000A.00000002.1820912917.000001DB19560000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fQEMU
Source: check.exe, 0000000A.00000003.1586442426.000001DB197B0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB197AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: check.exe, 0000000A.00000003.1578448364.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU)
Source: check.exe, 0000000A.00000002.1821926701.000001DB199FE000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: check.exe, 0000000A.00000002.1897462147.00007FF816648000.00000008.00000001.01000000.00000023.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Code function: 9_2_00007FF61C4DA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_00007FF61C4DA614

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Code function: 9_2_00007FF61C4E3480 GetProcessHeap,

9_2_00007FF61C4E3480

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4DA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF61C4DA614
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4CC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF61C4CC8A0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4CD12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF61C4CD12C
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 9_2_00007FF61C4CD30C SetUnhandledExceptionFilter,	9_2_00007FF61C4CD30C
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 22_2_00007FF8123265D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00007FF8123265D0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810B92C90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF810B92C90
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810B93248 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00007FF810B93248
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C543F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF810C543F0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C549A8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00007FF810C549A8
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C719E0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00007FF810C719E0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C71420 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF810C71420
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C81DF0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00007FF810C81DF0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C81830 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF810C81830
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C93DD0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_00007FF810C93DD0
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810C94390 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00007FF810C94390
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Code function: 29_2_00007FF810CA212B IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00007FF810CA212B

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe "C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Code function: 9_2_00007FF61C4E9570 cpuid

9_2_00007FF61C4E9570

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtCore.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\sip.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer\md.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtWidgets.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\QtGui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qminimal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qoffscreen.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platforms\qwindows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI77842 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5 VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Code function: 9_2_00007FF61C4CD010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

9_2_00007FF61C4CD010

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Code function: 9_2_00007FF61C4E5C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

9_2_00007FF61C4E5C00

Stealing of Sensitive Information

Opens network shares

Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py
Source: C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe	File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	LSASS Memory	2 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	141 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	44 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
download.ps1	8%	ReversingLabs	Script-PowerShell.Trojan.Powdow
download.ps1	10%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\MSVCP140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5DBus.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Qml.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5QmlModels.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Quick.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Svg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5WebSockets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\d3dcompiler_47.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\opengl32sw.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qgif.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qicns.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qico.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qsvg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qtga.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qtiff.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\imageformats\qwebp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qminimal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qwebgl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platforms\qwindows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtCore.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtGui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\QtWidgets.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\sip.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\charset_normalizer\md.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI29362\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\MSVCP140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5DBus.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59362\PyQt5\Qt5\bin\Qt5Network.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://cacerts.digi	0%	Avira URL Cloud	safe
http://hkinuxb3bz.top/1.php?s=527	100%	Avira URL Cloud	malware
http://www.color.org)	0%	Avira URL Cloud	safe
http://.../back.j	0%	Avira URL Cloud	safe
http://www.aiim.org/pdfa/ns/id/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nodejs.org	104.20.22.46	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/giampaolo/psutil/issues/875.	check.exe, 0000000A.00000002.1837968089.000001DB1A7C4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip	check.exe, 0000000A.00000002.1820912917.000001DB19560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	check.exe, 0000000A.00000002.1817265869.000001DB173A9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	check.exe, 0000000A.00000002.1827037234.000001DB19F80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	check.exe, 0000000A.00000003.1589120882.000001DB198B9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	check.exe, 0000000A.00000003.1586390374.000001DB198CD000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1586442426.000001DB198AE000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlI	check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hkinuxb3bz.top/1.php?s=527	powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.securetrust.com/SGCA.crld:4	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	check.exe, 0000000A.00000002.1821539091.000001DB19660000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digi	check.exe, 00000009.00000003.1557034800.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000009.00000003.1564570590.000001B4340E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://peps.python.org/pep-0205/	check.exe, 0000000A.00000003.1578448364.000001DB192E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1820377142.000001DB19460000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1566990368.000001DB18F21000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	check.exe, 0000000A.00000003.1589519363.000001DB199A2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB1998F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1588922999.000001DB19A49000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1553618061.000001E5183B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	check.exe, 0000000A.00000002.1825553124.000001DB19B60000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	check.exe, 0000000A.00000002.1817508785.000001DB18DA4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000005.00000002.1553618061.000001E519EBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000002.1553618061.000001E5197B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	check.exe, 0000000A.00000002.1817265869.000001DB173A9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	check.exe, 0000000A.00000003.1578448364.000001DB192E4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1577442083.000001DB1932C000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB19260000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1576602943.000001DB193B9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.color.org)	check.exe, 0000000A.00000002.1893210919.00007FF8163DA000.00000002.00000001.01000000.00000023.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB197AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	check.exe, 0000000A.00000002.1817265869.000001DB173A9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	check.exe, 0000000A.00000002.1825899036.000001DB19C60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	check.exe, 0000000A.00000003.1589714879.000001DB1998F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589519363.000001DB199A2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB1998F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1588922999.000001DB19A49000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19973000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/wiki/Development-Methodology	check.exe, 0000000A.00000002.1820912917.000001DB19560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	check.exe, 0000000A.00000002.1825899036.000001DB19C60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/lly	check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000005.00000002.1553618061.000001E519EBE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1553618061.000001E5185D9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19792000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB198DC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	check.exe, 0000000A.00000002.1825553124.000001DB19B60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	check.exe, 0000000A.00000002.1926008632.00007FF817DB8000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	check.exe, 0000000A.00000002.1821539091.000001DB19660000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	check.exe, 0000000A.00000002.1818046790.000001DB19260000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	check.exe, 0000000A.00000002.1818046790.000001DB19260000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.jpeg	check.exe, 0000000A.00000002.1826258226.000001DB19D90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	check.exe, 0000000A.00000003.1586442426.000001DB197B0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB197AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/post	check.exe, 0000000A.00000003.1589037099.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1587483493.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1585208154.000001DB19455000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	check.exe, 0000000A.00000002.1817508785.000001DB18DA4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19AE0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	check.exe, 0000000A.00000002.1825899036.000001DB19C60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	check.exe, 0000000A.00000002.1817775240.000001DB18F20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1589120882.000001DB198DC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.j	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	check.exe, 0000000A.00000003.1589120882.000001DB198DC000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	check.exe, 0000000A.00000002.1821926701.000001DB19973000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	check.exe, 0000000A.00000002.1825553124.000001DB19B60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	check.exe, 0000000A.00000003.1589120882.000001DB198B9000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB197AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://requests.readthedocs.io	check.exe, 0000000A.00000002.1827037234.000001DB19F10000.00000004.00001000.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1585208154.000001DB19455000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org	check.exe, 0000000A.00000003.1589037099.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1587483493.000001DB19455000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1585208154.000001DB19455000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.aiim.org/pdfa/ns/id/	check.exe, 0000000A.00000002.1893210919.00007FF8163DA000.00000002.00000001.01000000.00000023.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.accv.es0	check.exe, 0000000A.00000002.1821926701.000001DB19A89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/	check.exe, 0000000A.00000002.1821926701.000001DB19A5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.org	check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/howto/mro.html.	check.exe, 0000000A.00000003.1570112394.000001DB18FAE000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000003.1570091446.000001DB19011000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1817883773.000001DB19160000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	check.exe, 0000000A.00000002.1817508785.000001DB18D20000.00000004.00001000.00020000.00000000.sdmp	false		high
https://twitter.com/	check.exe, 0000000A.00000003.1589120882.000001DB19912000.00000004.00000020.00020000.00000000.sdmp, check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/questions/4457745#4457745.	check.exe, 0000000A.00000002.1837968089.000001DB1A7C4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	check.exe, 0000000A.00000002.1818046790.000001DB1940B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	check.exe, 0000000A.00000002.1817508785.000001DB18DA4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://google.com/	check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail/	check.exe, 0000000A.00000002.1821926701.000001DB1988C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail/	check.exe, 0000000A.00000002.1821926701.000001DB19792000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.22.46	nodejs.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571247
Start date and time:	2024-12-09 07:25:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	download.ps1
Detection:	MAL
Classification:	mal80.spyw.evad.winPS1@39/433@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 57% Number of executed functions: 48 Number of non-executed functions: 323
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target check.exe, PID 1132 because there are no executed function
Execution Graph export aborted for target check.exe, PID 3104 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:26:39	API Interceptor	43x Sleep call for process: powershell.exe modified
01:26:56	API Interceptor	3x Sleep call for process: check.exe modified
01:26:58	API Interceptor	3x Sleep call for process: WMIC.exe modified
01:27:15	API Interceptor	3x Sleep call for process: WerFault.exe modified
07:26:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe
07:26:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.20.22.46	check.exe	Get hash	malicious	Unknown	Browse
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse
	IM3OLcx7li.exe	Get hash	malicious	XWorm	Browse
	cgqdM4IA7C.exe	Get hash	malicious	XWorm	Browse
	hKWBNgRd7p.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse
	RHUENHera1.exe	Get hash	malicious	AsyncRAT, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nodejs.org	download.ps1	Get hash	malicious	Unknown	Browse	104.20.23.46
	check.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	check.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	az10.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.22.46
	kwlYObMOSn.exe	Get hash	malicious	XWorm	Browse	104.20.22.46
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	bootstraper.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	104.20.22.46
	KKjubdmzCR.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.20.23.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	x.ps1	Get hash	malicious	PureLog Stealer, Quasar	Browse	104.26.12.205
	cllmxIZWcQ.lnk	Get hash	malicious	Unknown	Browse	172.67.209.252
	DXzJ8Bi7WC.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	cd94pB4Z9p.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166
	IJGLxMMTaK.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	AmNdY4tRXD.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	172.67.177.137
	Hesap_Hareketleri_09122024_html.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\MSVCP140.dll	download.ps1	Get hash	malicious	Unknown	Browse
	check.exe	Get hash	malicious	Unknown	Browse
	check.exe	Get hash	malicious	Unknown	Browse
	az10.exe	Get hash	malicious	Unknown	Browse
	Update_4112024.exe	Get hash	malicious	Unknown	Browse
	Update_4112024.exe	Get hash	malicious	Unknown	Browse
	PyQtScrcpy.exe	Get hash	malicious	Unknown	Browse
	PyQtScrcpy.exe	Get hash	malicious	Unknown	Browse
	active.exe	Get hash	malicious	Unknown	Browse
	PumpBotPremium.msi	Get hash	malicious	Python Stealer	Browse

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.355804026402155
Encrypted:	false
SSDEEP:	192:a3Ml6n/0PRjijoRa+xhp2mQYfiyYgoFvNMYaqyp9QrKwn7xlXszLVVLv1SnYzuil:NlasPRjij83wntIRzuiFNY4lO81
MD5:	77440C7BF91434F3ED1F0AD61B84F76F
SHA1:	B872B5D8BCA08FB4B04D855BDFAA2FC677F3D621
SHA-256:	1CB2766D92669D4B76C064F9A0938F408C92E3AAE8E772F2287784323835C8AC
SHA-512:	1DCA2BA8A5DB0E81F6C330F4540ABA82C14C17EE0CF710EC1B61122FAB4217F3AA0660A92C3BA55F2076C5BFFF02FFCDCA9FEA7F4FC54F2905C0DB81D949E10F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.1.9.9.2.2.5.0.0.6.8.6.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.1.9.9.2.2.5.9.1.3.1.1.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.5.e.b.0.f.e.-.0.9.7.2.-.4.5.4.e.-.8.9.5.4.-.f.7.4.9.8.6.f.e.8.b.f.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.d.f.4.5.7.0.-.2.5.2.c.-.4.d.8.f.-.9.b.a.2.-.9.7.c.5.b.5.e.9.e.3.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.e.c.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.6.c.-.0.0.0.1.-.0.0.1.3.-.5.c.1.8.-.e.c.5.4.0.3.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.1.a.f.4.6.6.8.3.f.b.2.3.d.a.2.6.a.4.8.5.2.8.1.6.7.c.0.9.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.7.8.5.2.3.9.7.f.e.9.e.8.7.3.b.e.d.9.7.3.3.a.6.f.a.9.7.8.1.6.f.b.5.0.9.3.e.d.c.a.!.c.h.e.c.k...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.0.7.:.0.8.:.5.0.:.0.2.!.2.4.f.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1464
Entropy (8bit):	5.323051483830583
Encrypted:	false
SSDEEP:	24:3L3SKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9txNBJt/NKwJ0hNuTx9r8Hv9ILAl/:bSU4y4RQmFoUeCamfm9qr9trBLNGhNuw
MD5:	60FB5A72861D80922E273CFBF200154A
SHA1:	57C0D4311ADB4A7977D56FD973DBE3EC15AA4E24
SHA-256:	0C98296CCEC61956B5C404DA858F231B2B25D9E9253405F55414C00CE2D191E6
SHA-512:	5B62605E93E8ED78C448E9FCD226B58E424721419FA4420EEA3EFEDD1518620F35644D4F3B878ADF43D5885D9BA3AA884F64716EC477B7CA49A8C5EA97AE0227
Malicious:	false
Preview:	@...e...........).....................L..............@..........@...............\|.jdY\.H.s9.!..\|(.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.Management

Process:	C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: download.ps1, Detection: malicious, Browse Filename: check.exe, Detection: malicious, Browse Filename: check.exe, Detection: malicious, Browse Filename: az10.exe, Detection: malicious, Browse Filename: Update_4112024.exe, Detection: malicious, Browse Filename: Update_4112024.exe, Detection: malicious, Browse Filename: PyQtScrcpy.exe, Detection: malicious, Browse Filename: PyQtScrcpy.exe, Detection: malicious, Browse Filename: active.exe, Detection: malicious, Browse Filename: PumpBotPremium.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

File type:	ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	5.999000627811854
TrID:
File name:	download.ps1
File size:	51'312'121 bytes
MD5:	e9b2e27454fc1326cdb24bfc3b55b236
SHA1:	3416a2cbba0a6c1e4e8f33f671dfea5e5aacc3f8
SHA256:	cafc0a8f8b2a71b91f6ce0768d1e27e385d14879bdd591d47adfb4e492fde5db
SHA512:	4d9ce79022c115abe84ecef579face333417a6850f74dc7203c50e5eca6241b3110bc0d4e49f0a1a52deeb622a1e84cac81501f1d69ef8fd523af520a8a6fbad
SSDEEP:	49152:9Wogvv1w5kfNWbRPyIRX2dABup05egQSticWMH9Zpq0/RW0klo40AGlS8GhohOyf:R
TLSH:	A2B733105F6A6EB90A7C8239B0BF6F1E1BB04FD0844DF5EA43E464C7165EF414A2B86D
File Content Preview:	${random_error_action_preference}="Stop";Set-Location $Env:AppData;${random_install_path}="$Env:AppData\tFqTwCHm";if(Test-Path ${random_install_path}){if(Test-Path "$Env:AppData\lqqeEasA.txt"){Remove-Item "$Env:AppData\lqqeEasA.txt"};Exit};$domain=(Get-Wm

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 07:27:01.045527935 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:01.045574903 CET	443	49783	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:01.045733929 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:01.046855927 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:01.046864033 CET	443	49783	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:02.270478964 CET	443	49783	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:02.271135092 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:02.271159887 CET	443	49783	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:02.272298098 CET	443	49783	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:02.272358894 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:02.273842096 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:02.274015903 CET	443	49783	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:02.274070978 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:02.274130106 CET	49783	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:19.105400085 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:19.105443001 CET	443	49829	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:19.105518103 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:19.106758118 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:19.106775045 CET	443	49829	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:20.326354980 CET	443	49829	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:20.327043056 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:20.327069998 CET	443	49829	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:20.328222036 CET	443	49829	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:20.328280926 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:20.329585075 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:20.329775095 CET	443	49829	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:20.329828024 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:20.329853058 CET	49829	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:27.767117977 CET	49852	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:27.767160892 CET	443	49852	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:27.767273903 CET	49852	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:27.768141985 CET	49852	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:27.768156052 CET	443	49852	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:28.984117985 CET	443	49852	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:28.994492054 CET	49852	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:28.994502068 CET	443	49852	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:28.995678902 CET	443	49852	104.20.22.46	192.168.2.10
Dec 9, 2024 07:27:28.995769978 CET	49852	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:29.068368912 CET	49852	443	192.168.2.10	104.20.22.46
Dec 9, 2024 07:27:29.068550110 CET	49852	443	192.168.2.10	104.20.22.46

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 07:27:00.900811911 CET	57620	53	192.168.2.10	1.1.1.1
Dec 9, 2024 07:27:01.037442923 CET	53	57620	1.1.1.1	192.168.2.10

Target ID:	5
Start time:	01:26:21
Start date:	09/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Imagebase:	0x7ff7b2bb0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	01:26:44
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Imagebase:	0x7ff61c4c0000
File size:	38'750'516 bytes
MD5 hash:	A243FE9D1CFB5BF4E5C21C6E4861E09C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	01:26:50
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Imagebase:	0x7ff61c4c0000
File size:	38'750'516 bytes
MD5 hash:	A243FE9D1CFB5BF4E5C21C6E4861E09C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	01:26:54
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Imagebase:	0x7ff61c4c0000
File size:	38'750'516 bytes
MD5 hash:	A243FE9D1CFB5BF4E5C21C6E4861E09C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	15
Start time:	01:26:57
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff7e0610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	20
Start time:	01:27:04
Start date:	09/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1132 -s 900
Imagebase:	0x7ff636e20000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	22
Start time:	01:27:05
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Imagebase:	0x7ff61c4c0000
File size:	38'750'516 bytes
MD5 hash:	A243FE9D1CFB5BF4E5C21C6E4861E09C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	24
Start time:	01:27:13
Start date:	09/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff682f40000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	01:27:16
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\tFqTwCHm\check.exe"
Imagebase:	0x7ff740fe0000
File size:	38'750'516 bytes
MD5 hash:	A243FE9D1CFB5BF4E5C21C6E4861E09C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	01:27:20
Start date:	09/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3104 -s 908
Imagebase:	0x7ff636e20000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	34
Start time:	01:27:24
Start date:	09/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff682f40000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	01:27:25
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff7e0610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	40
Start time:	01:27:29
Start date:	09/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6132 -s 972
Imagebase:	0x7ff636e20000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	43

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_ee4b2146e406d55d1d7bff4ca9740b54ae3d236_f571cb24_2a5eb0fe-0972-454e-8954-f74986fe8bfc\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_ee4b2146e406d55d1d7bff4ca9740b54ae3d236_f571cb24_3e448435-1099-49cd-afd7-49fbadfeefbf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_ee4b2146e406d55d1d7bff4ca9740b54ae3d236_f571cb24_d4a4b39a-344c-4a95-9476-01ba86772e24\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E26.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F31.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F80.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3642.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37CA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3819.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5F2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7C8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD826.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\MSVCP140.dll

C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\MSVCP140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Core.dll

C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5DBus.dll

C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Gui.dll

C:\Users\user\AppData\Local\Temp\_MEI29362\PyQt5\Qt5\bin\Qt5Network.dll

Windows Analysis Report
download.ps1

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	128
Total number of Limit Nodes:	10

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre