Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1585170
MD5:	3689dace869abbbe4e87f57078f6bec9
SHA1:	568f5a26f433d55c2628e3e3a5555a9046b19ee3
SHA256:	610f9a21f99667ede85d082521e7b8150b158b80bc1d13c4498ac095b2316255
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Drops password protected ZIP file

Found pyInstaller with non standard icon

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal communication platform credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

1.exe (PID: 5968 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 3689DACE869ABBBE4E87F57078F6BEC9)

1.exe (PID: 2304 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 3689DACE869ABBBE4E87F57078F6BEC9)

cmd.exe (PID: 5916 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6028 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3424 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5876 cmdline: C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 1708 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 3420 cmdline: C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6516 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 5824 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6012 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1492 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6768 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5588 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6120 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 5876 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /f /im exodus.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5388 cmdline: taskkill /f /im exodus.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

powershell.exe (PID: 6720 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6496 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2948 cmdline: wmic cpu get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2064 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 6116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6732 cmdline: wmic computersystem get TotalPhysicalMemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5924 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 404 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cleanup

Sigma Signatures

System Summary

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\1.exe", ParentImage: C:\Users\user\Desktop\1.exe, ParentProcessId: 2304, ParentProcessName: 1.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 5824, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Get-Clipboard, CommandLine: powershell Get-Clipboard, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5824, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Get-Clipboard, ProcessId: 6012, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 1.exe	ReversingLabs: Detection: 41%
Source: 1.exe	Virustotal: Detection: 51%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.6% probability

Source: 1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142968513.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143265512.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: 1.exe, 00000000.00000003.2140777254.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141418951.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140544033.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142382964.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142817399.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143334365.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2131826778.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141003458.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 1.exe, 00000000.00000003.2132886454.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142525333.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142237741.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142745850.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140622674.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141655577.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140377919.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140699760.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142669958.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141831695.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2132886454.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143485995.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140922599.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 1.exe, 00000000.00000003.2142313193.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141572961.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140462716.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142599569.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 1.exe, 00000000.00000003.2131826778.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32trace.pdb source: 1.exe, 00000000.00000003.2156359102.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 1.exe, 00000000.00000003.2141336946.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143041232.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 1.exe, 00000000.00000003.2141736865.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141498347.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143117515.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143561263.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141929537.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142454218.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142163746.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: 1.exe, 00000000.00000003.2140851936.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143194031.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141252511.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141074156.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142891494.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143412270.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7E93A79B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A85A0 FindFirstFileExW,FindClose,	0_2_00007FF7E93A85A0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7E93C0B84

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153
Source: Joe Sandbox View	IP Address: 144.76.136.153 144.76.136.153

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ipinfo.io

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=hosting,query HTTP/1.1Host: ip-api.comUser-Agent: python-requests/2.32.3Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive

Source: global traffic	DNS traffic detected: DNS query: idefasoft.fr
Source: global traffic	DNS traffic detected: DNS query: tiktok.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: transfer.sh

Source: 1.exe, 00000002.00000003.2997011920.0000026ABB14E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995799183.0000026ABB127000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996510516.0000026ABB13F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999565146.0000026ABAF9B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.cog
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt
Source: 1.exe, 00000002.00000003.2997162730.0000026ABB89A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2179705139.0000026ABA981000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997294385.0000026ABB8A3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992785265.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001286090.0000026ABAFD9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002970788.0000026ABA9AC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182433260.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180117962.0000026ABA96E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999455715.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000087971.0000026ABA987000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: 1.exe, 00000002.00000003.2178691193.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176894637.0000026ABAF79000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176894637.0000026ABAFC9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182245662.0000026ABAEB3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002721519.0000026ABAEFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182150064.0000026ABAFD5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180761502.0000026ABAF40000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180633947.0000026ABAFDF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178370407.0000026ABAFAF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180225392.0000026ABAFD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: 1.exe, 00000002.00000003.2999720061.0000026ABA8AC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: powershell.exe, 0000001F.00000002.2416517613.00000220986C6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2418599178.00000220988E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlC
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: 1.exe, 00000002.00000003.3002799381.0000026ABB96F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABB96E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003667534.0000026ABB9BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlKG
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlC
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1.exe, 00000000.00000003.2140131037.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl
Source: 1.exe, 00000002.00000003.2997011920.0000026ABB14E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995799183.0000026ABB127000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996510516.0000026ABB13F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999565146.0000026ABAF9B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: 1.exe, 00000002.00000003.2178691193.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180761502.0000026ABAF40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: 1.exe, 00000002.00000003.2995270880.0000026ABB96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: 1.exe, 00000002.00000003.2178691193.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: 1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003232850.0000026ABBC8C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: powershell.exe, 0000001D.00000002.2339161609.000001B211E8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2322558013.000001B2037D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2339161609.000001B211FC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2409548445.000002209017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2409548445.00000220902B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 1.exe, 00000002.00000003.2999720061.0000026ABA8AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000001F.00000002.2361908430.0000022081980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/er
Source: 1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/p
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/uw
Source: powershell.exe, 0000001D.00000002.2322558013.000001B201E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.0000022080101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: 1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: 1.exe, 00000002.00000003.2999720061.0000026ABA8AC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: powershell.exe, 0000001D.00000002.2322558013.000001B2032B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.00000220815A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000001F.00000002.2361908430.0000022081980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/U
Source: 1.exe, 00000002.00000003.2179228653.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2151966728.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2148956047.00000239A9B5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: 1.exe, 00000002.00000003.2995739666.0000026ABB8D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: powershell.exe, 0000001D.00000002.2322328763.000001B200545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co-
Source: 1.exe, 00000002.00000003.2994108677.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993523199.0000026ABBF61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftOWNLO~1.TXTy./
Source: 1.exe, 00000002.00000003.2352534061.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352031794.0000026ABBF5E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310267438.0000026ABBF6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftom/pkiops/Docs/Repository./
Source: 1.exe, 00000002.00000003.2179228653.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180761502.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: 1.exe, 00000002.00000003.2997011920.0000026ABB14E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995799183.0000026ABB127000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996510516.0000026ABB13F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 0000001D.00000002.2322558013.000001B201E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.0000022080101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boxmatrix.info/wiki/Property:arping
Source: 1.exe, 00000002.00000003.2310172216.0000026ABCF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994251647.0000026ABCF59000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277385060.0000026ABCF48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306171318.0000026ABCF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2351954090.0000026ABCF48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992481017.0000026ABCF50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brew.sh
Source: 1.exe, 00000002.00000003.2352031794.0000026ABBF5E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993523199.0000026ABBF61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/pypa/setuptools
Source: powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: 1.exe, 00000002.00000003.2351404547.0000026ABD00A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/hazmat/
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/803025117553754132/815945031150993468
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordbackuper.uk.to/webhooks/hyzen_webhook/
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordverify.tech/webhooks/hyzen_dsc/
Source: 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordverify.tech/webhooks/hyzen_exod/
Source: 1.exe, 00000002.00000003.3000243404.0000026ABA7E5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002000425.0000026ABA7EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: 1.exe, 00000002.00000003.2176303617.0000026ABA9DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2179705139.0000026ABA981000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992785265.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994217265.0000026ABAA0E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2175307708.0000026ABA9DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182433260.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180117962.0000026ABA96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2181839807.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2185527521.0000026ABB1B2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996474924.0000026ABB100000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996307404.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2181839807.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2185527521.0000026ABB1B2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996474924.0000026ABB100000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996307404.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: 1.exe, 00000002.00000003.2180036404.0000026ABB055000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182150064.0000026ABAFD5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996307404.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003947861.0000026ABAEB0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003851740.0000026ABAFDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: 1.exe, 00000002.00000003.2180036404.0000026ABB0C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180036404.0000026ABB055000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 0000001F.00000002.2361908430.0000022081980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ThomasHabets/arping
Source: 1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 1.exe, 00000000.00000003.2156102244.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2131046109.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156359102.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153299506.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156359102.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156219072.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156481090.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153550121.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/black
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: 1.exe, 00000002.00000003.2182245662.0000026ABAEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/discussions
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/workflows/tests/badge.svg
Source: 1.exe, 00000002.00000003.2999455715.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: 1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: 1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 1.exe, 00000002.00000003.2175307708.0000026ABA92F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2173498918.0000026ABA942000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999720061.0000026ABA8FB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2181034075.0000026ABA917000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001503647.0000026ABA938000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001217368.0000026ABA919000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2172016941.0000026ABA92F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2179579918.0000026ABA910000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2171915048.0000026ABA9D0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2172422142.0000026ABA935000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997745773.0000026ABA8FA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2174618831.0000026ABA942000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176443939.0000026ABA92F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2172929866.0000026ABA940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: 1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000818569.0000026ABA748000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003885082.0000026ABA7B5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001462320.0000026ABA7A9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: 1.exe, 00000002.00000003.2995270880.0000026ABB96E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: 1.exe, 00000002.00000003.3001462320.0000026ABA7A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://idefasoft.fr/pastes/KBEUSDINd5Da/raw/
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://idefasoft.fr/pastes/TFI8bM6C3BzB/raw/
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2022-informational
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/discord/803025117553754132
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/setuptools.svg
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/setuptools.svg
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/readthedocs/setuptools/latest.svg
Source: 1.exe, 00000002.00000003.2997885206.0000026ABB883000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2185527521.0000026ABB20C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: 1.exe, 00000002.00000003.2350512173.0000026ABD0CA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992079577.0000026ABD0CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: powershell.exe, 0000001D.00000002.2339161609.000001B211E8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2322558013.000001B2037D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2339161609.000001B211FC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2409548445.000002209017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2409548445.00000220902B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 1.exe, 00000002.00000003.2997011920.0000026ABB14E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995799183.0000026ABB127000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996510516.0000026ABB13F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: powershell.exe, 0000001D.00000002.2322558013.000001B2032B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.00000220815A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000001D.00000002.2322558013.000001B2032B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.00000220815A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packages.debian.org/sid/iputils-arping
Source: 1.exe, 00000002.00000003.2997885206.0000026ABB883000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/installing/
Source: 1.exe, 00000002.00000003.2169109816.0000026ABA8B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2170125233.0000026ABA8AA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2170531315.0000026ABA8AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svg
Source: 1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/
Source: 1.exe, 00000002.00000003.3000414610.0000026ABA878000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176303617.0000026ABA98F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176102647.0000026ABAF2B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176102647.0000026ABAEDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/stable/history.html
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180036404.0000026ABB0C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001286090.0000026ABAFD9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182245662.0000026ABAEB3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180036404.0000026ABB055000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182150064.0000026ABAFD5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996307404.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003947861.0000026ABAEB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: 1.exe, 00000002.00000003.2306171318.0000026ABCF4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: 1.exe, 00000002.00000003.2304772061.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2299714488.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308455792.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 1.exe, 00000002.00000003.2994316363.0000026ABD095000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2305993678.0000026ABD08D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2294939972.0000026ABD091000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310315272.0000026ABD090000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352420223.0000026ABD091000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2309982952.0000026ABD08D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306468763.0000026ABD090000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: 1.exe, 00000002.00000003.2304772061.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2299714488.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308455792.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/github/pypa/setuptools?style=flat
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=readme
Source: 1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000818569.0000026ABA748000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003885082.0000026ABA7B5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001462320.0000026ABA7A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: 1.exe, 00000002.00000003.3003096126.0000026ABA778000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000818569.0000026ABA748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: 1.exe, 00000000.00000003.2145969486.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: 1.exe, 00000000.00000003.2145969486.00000239A9B62000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2145969486.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2146073212.00000239A9B62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: 1.exe, 00000002.00000003.2306292367.0000026ABBF6C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994108677.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352534061.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352031794.0000026ABBF5E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310267438.0000026ABBF6C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993523199.0000026ABBF61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.manpagez.com/man/8/networksetup/
Source: 1.exe, 00000002.00000003.2305537618.0000026ABD144000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308882505.0000026ABD144000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 1.exe, 00000002.00000003.2306171318.0000026ABCF4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org#
Source: 1.exe, 00000002.00000003.2350771281.0000026ABD0B7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0B7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2305723936.0000026ABD0B1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2305723936.0000026ABD0B7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2350771281.0000026ABD0AA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 1.exe, 00000002.00000003.2304772061.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2299714488.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308455792.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 1.exe, 00000002.00000003.2304772061.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2299714488.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308455792.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 1.exe, 00000002.00000003.2304772061.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2299714488.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308455792.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: 1.exe, 00000002.00000003.2994075080.0000026ABCFB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2351404547.0000026ABD00A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2350870022.0000026ABCFAA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352493026.0000026ABCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
Source: 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994075080.0000026ABCFB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2351404547.0000026ABD00A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2350870022.0000026ABCFAA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352493026.0000026ABCFB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man5/
Source: 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: 1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Drops password protected ZIP file

Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted
Source: AWGADYhKXN.zip.2.dr	Zip Entry: encrypted

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C5C74	0_2_00007FF7E93C5C74
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93BFBD8	0_2_00007FF7E93BFBD8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C4F10	0_2_00007FF7E93C4F10
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A1000	0_2_00007FF7E93A1000
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B0A60	0_2_00007FF7E93B0A60
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B1280	0_2_00007FF7E93B1280
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C8A38	0_2_00007FF7E93C8A38
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B7AAC	0_2_00007FF7E93B7AAC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C518C	0_2_00007FF7E93C518C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93BD200	0_2_00007FF7E93BD200
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B91B0	0_2_00007FF7E93B91B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B0C64	0_2_00007FF7E93B0C64
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B1484	0_2_00007FF7E93B1484
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B2CC4	0_2_00007FF7E93B2CC4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C0B84	0_2_00007FF7E93C0B84
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A8B20	0_2_00007FF7E93A8B20
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B73F4	0_2_00007FF7E93B73F4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C33BC	0_2_00007FF7E93C33BC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B0E70	0_2_00007FF7E93B0E70
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93BCD6C	0_2_00007FF7E93BCD6C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A95FB	0_2_00007FF7E93A95FB
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B1074	0_2_00007FF7E93B1074
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93BD880	0_2_00007FF7E93BD880
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B5040	0_2_00007FF7E93B5040
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B28C0	0_2_00007FF7E93B28C0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C2F20	0_2_00007FF7E93C2F20
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93BFBD8	0_2_00007FF7E93BFBD8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B1F30	0_2_00007FF7E93B1F30
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C5728	0_2_00007FF7E93C5728
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A979B	0_2_00007FF7E93A979B
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A9FCD	0_2_00007FF7E93A9FCD

Source: C:\Users\user\Desktop\1.exe

Code function: String function: 00007FF7E93A25F0 appears 50 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: 1.exe, 00000000.00000003.2136128759.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2140544033.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2141336946.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2142454218.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2140622674.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2140699760.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2143194031.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2156102244.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2140922599.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2141929537.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2132886454.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs 1.exe
Source: 1.exe, 00000000.00000003.2142891494.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2141498347.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2142968513.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2143412270.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2140462716.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2143265512.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2141736865.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2151162895.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2141655577.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2143485995.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2131826778.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs 1.exe
Source: 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2140851936.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2142669958.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2141252511.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2143117515.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2131046109.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2141572961.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2139967004.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2156359102.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2142817399.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2136291245.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2153299506.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom311.dll0 vs 1.exe
Source: 1.exe, 00000000.00000003.2143041232.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2143334365.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2154615224.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs 1.exe
Source: 1.exe, 00000000.00000003.2142313193.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2142745850.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2156359102.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2142525333.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2143561263.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2142237741.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2156219072.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2142599569.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2150719484.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs 1.exe
Source: 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs 1.exe
Source: 1.exe, 00000000.00000003.2141074156.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2140131037.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2142382964.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2140777254.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2141831695.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2155141100.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1.exe
Source: 1.exe, 00000000.00000003.2141418951.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2141003458.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2140377919.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2156481090.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshell.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2153550121.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes311.dll0 vs 1.exe
Source: 1.exe, 00000000.00000003.2142163746.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@61/210@6/6

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E93A29E0 GetLastError,FormatMessageW,MessageBoxW,

0_2_00007FF7E93A29E0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:988:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI59682

Jump to behavior

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "exodus.exe")
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "exodus.exe")
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe, 00000002.00000003.2309982952.0000026ABD082000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2305723936.0000026ABD0AB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 1.exe	ReversingLabs: Detection: 41%
Source: 1.exe	Virustotal: Detection: 51%

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get TotalPhysicalMemory
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get TotalPhysicalMemory	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 1.exe

Static file information: File size 25435744 > 1048576

Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142968513.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143265512.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: 1.exe, 00000000.00000003.2140777254.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141418951.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140544033.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142382964.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142817399.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143334365.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2131826778.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: 1.exe, 00000000.00000003.2139072724.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141003458.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 1.exe, 00000000.00000003.2132886454.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142525333.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142237741.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142745850.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140622674.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 1.exe, 00000000.00000003.2137189149.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141655577.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140377919.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140699760.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: 1.exe, 00000000.00000003.2132982549.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142669958.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 1.exe, 00000000.00000003.2134334170.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141831695.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 1.exe, 00000000.00000003.2139833055.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2132886454.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143485995.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140922599.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 1.exe, 00000000.00000003.2155530941.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 1.exe, 00000000.00000003.2142313193.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141572961.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2140462716.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: 1.exe, 00000000.00000003.2139356733.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142599569.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 1.exe, 00000000.00000003.2131826778.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32trace.pdb source: 1.exe, 00000000.00000003.2156359102.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 1.exe, 00000000.00000003.2141336946.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143041232.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 1.exe, 00000000.00000003.2141736865.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: 1.exe, 00000000.00000003.2153685705.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141498347.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143117515.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143561263.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141929537.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142454218.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142163746.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: 1.exe, 00000000.00000003.2140851936.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143194031.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141252511.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: 1.exe, 00000000.00000003.2140281789.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: 1.exe, 00000000.00000003.2139745215.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 1.exe, 00000000.00000003.2141074156.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: 1.exe, 00000000.00000003.2151337499.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2142891494.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2143412270.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp

Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName	Jump to behavior

Source: api-ms-win-core-file-l1-2-0.dll.0.dr

Static PE information: 0x6A762B3D [Fri Aug 7 19:00:13 2026 UTC]

Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 29_2_00007FFD326819BA pushad ; ret

29_2_00007FFD326819C9

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\1.exe

Process created: "C:\Users\user\Desktop\1.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imagingmath.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imaging.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_webp.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imagingcms.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imagingtk.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_keccak.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E93A6EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF7E93A6EA0

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\1.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2884
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4279
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3006

Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imagingmath.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imaging.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_webp.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imagingcms.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL\_imagingtk.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\win32crypt.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\1.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-18067

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5132	Thread sleep count: 2884 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904	Thread sleep count: 2340 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6136	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1456	Thread sleep count: 4279 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6912	Thread sleep count: 209 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5292	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428	Thread sleep count: 3006 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428	Thread sleep count: 192 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4044	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7E93A79B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93A85A0 FindFirstFileExW,FindClose,	0_2_00007FF7E93A85A0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93C0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7E93C0B84

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 1.exe, 00000000.00000003.2144107763.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 1.exe, 00000002.00000003.3002304374.0000026AB891F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003595618.0000026AB8931000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 1.exe, 00000002.00000003.2348035481.0000026ABD523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E93B9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7E93B9924

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E93C2790 GetProcessHeap,

0_2_00007FF7E93C2790

Source: C:\Users\user\Desktop\1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93B9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E93B9924
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93AC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E93AC44C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93ABBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7E93ABBC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E93AC62C SetUnhandledExceptionFilter,	0_2_00007FF7E93AC62C

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get TotalPhysicalMemory	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E93C8880 cpuid

0_2_00007FF7E93C8880

Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-file-l2-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-synch-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-synch-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-timezone-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-core-util-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-environment-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-heap-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-math-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\api-ms-win-crt-process-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32\pywintypes311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32\pythoncom311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\_asyncio.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI59682\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E93AC330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7E93AC330

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E93C4F10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7E93C4F10

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 Timestomp	NTDS	61 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.exe	42%	ReversingLabs	Win64.Trojan.ReverseShell
1.exe	51%	Virustotal		Browse
1.exe	100%	Avira	TR/PSW.Agent.buior

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI59682\Cryptodome\Hash\_SHA224.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://tidelift.com/security	0%	Avira URL Cloud	safe
http://repository.swisssign.com/er	0%	Avira URL Cloud	safe
http://cacerts.digicert.cog	0%	Avira URL Cloud	safe
http://repository.swisssign.com/p	0%	Avira URL Cloud	safe
http://repository.swisssign.com/uw	0%	Avira URL Cloud	safe
https://boxmatrix.info/wiki/Property:arping	0%	Avira URL Cloud	safe
https://discordverify.tech/webhooks/hyzen_exod/	0%	Avira URL Cloud	safe
https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
idefasoft.fr	151.80.152.246	true	false	unknown
tiktok.com	18.66.112.109	true	false	high
ipinfo.io	34.117.59.81	true	false	high
ip-api.com	208.95.112.1	true	false	high
transfer.sh	144.76.136.153	true	false	high
api.gofile.io	45.112.123.126	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/?fields=hosting,query	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf	1.exe, 00000002.00000003.2997011920.0000026ABB14E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995799183.0000026ABB127000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996510516.0000026ABB13F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2022-informational	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	1.exe, 00000000.00000003.2156102244.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2131046109.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156359102.00000239A9B61000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153299506.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156359102.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156219072.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2156481090.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2153550121.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/pyversions/setuptools.svg	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/v/setuptools.svg	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/library/unittest.html	1.exe, 00000002.00000003.2995270880.0000026ABB96E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/actions?query=workflow%3ACI	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/security	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	1.exe, 00000000.00000003.2145969486.00000239A9B62000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2145969486.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2146073212.00000239A9B62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	1.exe, 00000002.00000003.3000243404.0000026ABA7E5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002000425.0000026ABA7EB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	1.exe, 00000002.00000003.2182245662.0000026ABAEB3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pypi.org/project/setuptools	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/workflows/tests/badge.svg	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000001D.00000002.2339161609.000001B211E8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2322558013.000001B2037D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2339161609.000001B211FC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2409548445.000002209017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2409548445.00000220902B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cacerts.digicert.cog	1.exe, 00000000.00000003.2138600147.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc3610	1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	1.exe, 00000002.00000003.2169109816.0000026ABA8B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2170125233.0000026ABA8AA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2170531315.0000026ABA8AA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	1.exe, 00000002.00000003.2999720061.0000026ABA8AC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packages.debian.org/sid/iputils-arping	1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001D.00000002.2322558013.000001B201E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2361908430.0000022080101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discordverify.tech/webhooks/hyzen_exod/	1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/pprint.html	1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2181839807.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2185527521.0000026ABB1B2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996474924.0000026ABB100000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996307404.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crlC	1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/get	1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/uw	1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001F.00000002.2361908430.0000022081980000.00000004.00000800.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	1.exe, 00000002.00000003.3000414610.0000026ABA878000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176303617.0000026ABA98F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176102647.0000026ABAF2B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176102647.0000026ABAEDC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001F.00000002.2361908430.0000022081980000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	1.exe, 00000002.00000003.2175307708.0000026ABA92F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2173498918.0000026ABA942000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999720061.0000026ABA8FB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2181034075.0000026ABA917000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001503647.0000026ABA938000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001217368.0000026ABA919000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2172016941.0000026ABA92F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2179579918.0000026ABA910000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2171915048.0000026ABA9D0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2172422142.0000026ABA935000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997745773.0000026ABA8FA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2174618831.0000026ABA942000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176443939.0000026ABA92F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2172929866.0000026ABA940000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	1.exe, 00000002.00000003.3001462320.0000026ABA7A9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	1.exe, 00000000.00000003.2145969486.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/er	1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/p	1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codecov.io/gh/pypa/setuptools	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	1.exe, 00000002.00000003.2179228653.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	1.exe, 00000002.00000003.2304772061.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2299714488.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308455792.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001F.00000002.2361908430.0000022081980000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003232850.0000026ABBC8C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	false		high
https://brew.sh	1.exe, 00000002.00000003.2310172216.0000026ABCF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994251647.0000026ABCF59000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277385060.0000026ABCF48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306171318.0000026ABCF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2351954090.0000026ABCF48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992481017.0000026ABCF50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/multiprocessing.html	1.exe, 00000002.00000003.2176303617.0000026ABA9DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2179705139.0000026ABA981000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992785265.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994217265.0000026ABAA0E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2175307708.0000026ABA9DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182433260.0000026ABA95D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180117962.0000026ABA96E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html	1.exe, 00000002.00000003.2180036404.0000026ABB055000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2182150064.0000026ABAFD5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996307404.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003947861.0000026ABAEB0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3003851740.0000026ABAFDF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://github.com/ActiveState/appdirs	1.exe, 00000002.00000003.2178691193.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAF4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wiki.debian.org/XDGBaseDirectorySpecification#state	1.exe, 00000002.00000003.3003096126.0000026ABA778000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000818569.0000026ABA748000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	1.exe, 00000002.00000003.2997011920.0000026ABB14E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995799183.0000026ABB127000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996510516.0000026ABB13F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugzilla.mo	1.exe, 00000002.00000003.2352031794.0000026ABBF5E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993523199.0000026ABBF61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	1.exe, 00000002.00000003.2304772061.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293244673.0000026ABD0DC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2299714488.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2293063439.0000026ABBF6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2308455792.0000026ABD305000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	1.exe, 00000002.00000003.2999720061.0000026ABA8AC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/security/	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://boxmatrix.info/wiki/Property:arping	1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es00	1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	1.exe, 00000002.00000003.2158391223.0000026ABA733000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	1.exe, 00000002.00000003.2179228653.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180761502.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2178404758.0000026ABAEFB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	1.exe, 00000002.00000003.2996807987.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html	1.exe, 00000002.00000003.2994075080.0000026ABCFB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2351404547.0000026ABD00A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2350870022.0000026ABCFAA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352493026.0000026ABCFB1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/cryptography/badge/?version=latest	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000187409.0000026ABBA67000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/installing/	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	1.exe, 00000002.00000003.2995270880.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2998754025.0000026ABBA14000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	1.exe, 00000002.00000003.2306588393.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3004069377.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDB1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc5869	1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2301140771.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBD65000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBD66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994346572.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBD63000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/psf/black	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html	1.exe, 00000002.00000003.2997011920.0000026ABB14E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995799183.0000026ABB127000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBA4C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABB0DE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2995270880.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3000582627.0000026ABBC53000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997607005.0000026ABBC52000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2996510516.0000026ABB13F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3002928468.0000026ABBD35000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999565146.0000026ABAF9B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBADF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3001866849.0000026ABBD2A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2997370247.0000026ABBC23000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/post	1.exe, 00000002.00000003.2992893692.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2993635054.0000026ABAF99000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2352647127.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994800910.0000026ABAFBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAF88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2994382349.0000026ABAFBB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 0000001F.00000002.2361908430.0000022081A99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/	1.exe, 00000000.00000003.2145498424.00000239A9B57000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	1.exe, 00000002.00000003.2352647127.0000026ABAECC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353294920.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992893692.0000026ABAECE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2310405179.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2280798075.0000026ABAED2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	1.exe, 00000002.00000003.2301140771.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2277886088.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2298450794.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2311139842.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2999964452.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2992326469.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2353134905.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2306588393.0000026ABBDFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral	1.exe, 00000000.00000003.2153965322.00000239A9B54000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	1.exe, 00000002.00000003.2291765845.0000026ABD135000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html#re.sub	1.exe, 00000002.00000003.2180036404.0000026ABB0C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2180036404.0000026ABB055000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
18.66.112.109	tiktok.com	United States	3	MIT-GATEWAYSUS	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
151.80.152.246	idefasoft.fr	Italy	16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585170
Start date and time:	2025-01-07 08:47:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.exe
Detection:	MAL
Classification:	mal96.spyw.evad.winEXE@61/210@6/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 43 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 6496 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6720 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:48:07	API Interceptor	7x Sleep call for process: WMIC.exe modified
02:48:15	API Interceptor	11x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SharkHack.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	paint.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
144.76.136.153	SecuriteInfo.com.Win64.Trojan-gen.31951.26059.exe	Get hash	malicious	Unknown	Browse	transfer.sh/get/1h9hjM/LoWin64.exe
	SecuriteInfo.com.Win64.Trojan-gen.31951.26059.exe	Get hash	malicious	Unknown	Browse	transfer.sh/get/1h9hjM/LoWin64.exe
	http://144.76.136.153	Get hash	malicious	Unknown	Browse	144.76.136.153:443/
	file.exe	Get hash	malicious	RedLine	Browse	transfer.sh/get/wADq8n/434123433142.exe
	file.exe	Get hash	malicious	RedLine	Browse	transfer.sh/get/yAEPpl/gggge.exe
	1JCAVkYU3U.exe	Get hash	malicious	RedLine	Browse	transfer.sh/get/yAEPpl/gggge.exe
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	transfer.sh/get/yAEPpl/gggge.exe
	PURCHASE ORDER & SAMPLE IMAGE.xlsx	Get hash	malicious	Unknown	Browse	transfer.sh/get/I9BcJI/maxdyn2.1.exe
	RFQ-BT5004423.doc	Get hash	malicious	AveMaria, UACMe	Browse	transfer.sh/get/mGCQGV/gstallabt4.2.exe
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.16955.24932.rtf	Get hash	malicious	AveMaria, UACMe	Browse	transfer.sh/get/8LtEmv/mwele.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	DownloadedMessage.zip	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
ip-api.com	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	miori.x86.elf	Get hash	malicious	Unknown	Browse	144.79.65.29
	sfqbr.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	94.130.22.61
	http://yamjoop.site	Get hash	malicious	Unknown	Browse	116.203.80.157
	ZipThis.exe	Get hash	malicious	Unknown	Browse	5.161.105.73
	https://tfeweb.co.uk/signoff	Get hash	malicious	Unknown	Browse	144.76.9.200
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	136.243.225.5
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	88.198.57.50
	http://www.housepricesintheuk.co.uk	Get hash	malicious	Unknown	Browse	178.63.241.79
	getscreen-524501439-x86.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-524501439-x86.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
MIT-GATEWAYSUS	miori.x86.elf	Get hash	malicious	Unknown	Browse	18.43.155.129
	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	18.66.102.79
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	18.173.205.50
	sh4.elf	Get hash	malicious	Mirai	Browse	19.44.195.99
	arm4.elf	Get hash	malicious	Mirai	Browse	19.240.78.71
	ppc.elf	Get hash	malicious	Mirai	Browse	18.66.1.18
	w3245.exe	Get hash	malicious	Unknown	Browse	18.173.219.113
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	18.66.102.51
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	18.66.102.51
	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	18.173.205.62
TUT-ASUS	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	34.117.77.79
	DownloadedMessage.zip	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	http://www.housepricesintheuk.co.uk	Get hash	malicious	Unknown	Browse	34.117.239.71
	https://www.scribd.com/document/787929982/script-tlsfrance	Get hash	malicious	Unknown	Browse	34.117.239.71
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://www.klim.com	Get hash	malicious	Unknown	Browse	34.117.77.79
	random.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	random.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_ARC4.pyd	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse
	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse
	snmpapi.exe	Get hash	malicious	Braodo	Browse
	snmpapi.exe	Get hash	malicious	Braodo	Browse
	54Oa5PcvK1.exe	Get hash	malicious	Unknown	Browse
	LmZVhGD5jF.exe	Get hash	malicious	Unknown	Browse
	zW72x5d91l.bat	Get hash	malicious	Unknown	Browse
	7EznMik8Fw.exe	Get hash	malicious	Python Stealer	Browse
	MkWMm5piE5.exe	Get hash	malicious	Python Stealer	Browse
	okG6LaM2yP.exe	Get hash	malicious	Python Stealer	Browse

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Users\user\Desktop\1.exe
File Type:	Zip archive data, at least v6.3 to extract, compression method=AES Encrypted
Category:	dropped
Size (bytes):	499784
Entropy (8bit):	7.9994668849975525
Encrypted:	true
SSDEEP:	12288:XwYQBkYgxUGFMPeO9PtuPGr1sY7eVdOitcioKaIS2WD:AYDYgxUG9xGhsY7eVdOiWvIfS
MD5:	5A033AAAEC17327985290F065EFBDC2F
SHA1:	781F1373C964D02D4AC564FDA01540294720B804
SHA-256:	C2F480120AA884294B64E136899DCCF04890BF3019C3EBBA098885F409F5E90A
SHA-512:	E9E5622F04CF95FB3B7F6363B22A3F195BB240836C752EF08157E914153501D27F7FFC8E3A0B6C6AE577DE545C243E2461BA089347C2548A8F9C0F19BC580BEF
Malicious:	false
Preview:	PK..?...c...'ZV...............AWGADYhKXN/Data.txt......AE.....?.h.O....B..9.6xxU='...}..}f2lSF..!q.j.@/..s.P...M.G.......O..Zz..:...\|..W.\|Z=......^Y...j..O.CL?.+..A..S...E.....:......{.^.....I...a.l.Ih....u.?.{r......Q@,ZT.4C.o....:....).......Z...R.o..&.S...G.Gk]~.H.=.......)>Q^rGY....0c...I...>PK..?...c...'ZtdUg...n.......AWGADYhKXN/Errors.txt......AE....J.@Y...\|.m"P..E....B.......4.....i.M.e\|)^bG.hX.....N....Z...EG'.O.<.73....#.n&.C.............t.w_..}?b....9...YL.......(....Q.Dr:..K.BF.m.OW..f..$F..Wk..c...8oyTR....{.Tv.Nf...vuY..:..QT.z...%)3+......v...#\..$S...9.....t\...!.^2...`..L8)K..8....Q.$.c}..X....N...........w.!...t.........{.U..+...._u9.Y,..1....^.c....^'..U6...Iis..t[Q.......4.Q.Eu.Q..D.PZX...v...(.. c.gb...X^S..Xu..y...+..Efl.%IE......2d.D............,.0.\..'.#\\|Zz.n....G...:>+.p.8..H..I.-.\?9G.2...MO.i..+...yH.....u.u.z'=.Em......`...........8.....M..`rCR.sY.A...\|..6.+..u..].............Q@B.C..9.....x?_2.B......&.6..0..n.Xq-..

Process:	C:\Windows\System32\taskkill.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.261043983337285
Encrypted:	false
SSDEEP:	3:RLg9duHAFmLKUe9y:RLg9dugMe9y
MD5:	AD2E5CC5CADCC56B8446CE435BD42CE4
SHA1:	263793D122F1837B8916BF8623FE5AB4202E1131
SHA-256:	78609DB3A08FA8D24F189A78895E9E5D49580969F42692E466652EF04EB254B2
SHA-512:	A66C94FF4709245AD3F37DE98C9418D4AA1AEBE8EC234984E2BD6D80D6E76F7ABD70C0D357722714BB0C355716AFF3CB20970C01BE5FB4453AA3E5A523C9131E
Malicious:	false
Preview:	ERROR: The process "exodus.exe" not found...

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.997371210548079
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1.exe
File size:	25'435'744 bytes
MD5:	3689dace869abbbe4e87f57078f6bec9
SHA1:	568f5a26f433d55c2628e3e3a5555a9046b19ee3
SHA256:	610f9a21f99667ede85d082521e7b8150b158b80bc1d13c4498ac095b2316255
SHA512:	07f18aaa4119df6a7711a8b21157e15473f2b2654fea6eb426857f745cc1b45eb22646c1f754f47cfd07b43b1840d3d31a9762f9354e9db10f06d82552034d2e
SSDEEP:	393216:nEkQnvgKeQtss27CyDgPYVnNSMtW+eGQRJ93iObIhRS/DW3L8rpJ4s3E6spdp0w:nqjeQtspDgPQHW+e5RT9MhRD3Y9GQIZ
TLSH:	3247331742624962F9A4013F5006C6245A31AC1177ACF2FA9FB5F8552BFFFAE8A31F44
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d..

Entrypoint:	0x14000c0d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B0ECA1 [Mon Aug 5 15:15:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	456e8615ad4320c9f54e50319a19df9c

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0xce34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x46000	0x2208	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0x768	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39dc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39c80	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x450	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29210	0x29400	aca64598002ecff9eefbc96554edf015	False	0.5511067708333334	data	6.4784482217419175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12642	0x12800	66146420f548cf2acca472542a84c0d8	False	0.5245460304054054	data	5.750861752432239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x73d8	0xe00	d0a288978c66419b180b35f625b6dce7	False	0.13532366071428573	data	1.8378139998458343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x46000	0x2208	0x2400	74cf3ea22e0a1756984435d6f80f7da5	False	0.4671223958333333	data	5.259201915045256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0xce34	0xd000	d717912eb54292316bc235b3159acb50	False	0.042367788461538464	data	3.816041843179243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0x768	0x800	71de9271648326ec88350e903470cf3e	False	0.5576171875	data	5.283119454571673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x490e8	0xc828	Device independent bitmap graphic, 128 x 256 x 24, image size 51200	0.02777127244340359
RT_GROUP_ICON	0x55910	0x14	data	1.15
RT_MANIFEST	0x55924	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

DLL	Import
USER32.dll	CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 08:48:07.461747885 CET	49722	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:07.461782932 CET	443	49722	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:07.461841106 CET	49722	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:07.462821007 CET	49722	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:07.462830067 CET	443	49722	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:08.110584974 CET	443	49722	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:08.122260094 CET	49722	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:08.122283936 CET	443	49722	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:08.123703957 CET	443	49722	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:08.123784065 CET	49722	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:08.179410934 CET	49722	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:08.179601908 CET	49722	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:11.572527885 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:11.572555065 CET	443	49749	18.66.112.109	192.168.2.6
Jan 7, 2025 08:48:11.572613955 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:11.572927952 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:11.572940111 CET	443	49749	18.66.112.109	192.168.2.6
Jan 7, 2025 08:48:12.289802074 CET	443	49749	18.66.112.109	192.168.2.6
Jan 7, 2025 08:48:12.290292978 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:12.290308952 CET	443	49749	18.66.112.109	192.168.2.6
Jan 7, 2025 08:48:12.291501045 CET	443	49749	18.66.112.109	192.168.2.6
Jan 7, 2025 08:48:12.291568995 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:12.293245077 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:12.293323994 CET	443	49749	18.66.112.109	192.168.2.6
Jan 7, 2025 08:48:12.293394089 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:12.293420076 CET	49749	443	192.168.2.6	18.66.112.109
Jan 7, 2025 08:48:12.309838057 CET	49755	80	192.168.2.6	208.95.112.1
Jan 7, 2025 08:48:12.314917088 CET	80	49755	208.95.112.1	192.168.2.6
Jan 7, 2025 08:48:12.314985991 CET	49755	80	192.168.2.6	208.95.112.1
Jan 7, 2025 08:48:12.315340042 CET	49755	80	192.168.2.6	208.95.112.1
Jan 7, 2025 08:48:12.320058107 CET	80	49755	208.95.112.1	192.168.2.6
Jan 7, 2025 08:48:12.781229973 CET	80	49755	208.95.112.1	192.168.2.6
Jan 7, 2025 08:48:12.782442093 CET	49755	80	192.168.2.6	208.95.112.1
Jan 7, 2025 08:48:12.788969994 CET	80	49755	208.95.112.1	192.168.2.6
Jan 7, 2025 08:48:12.789030075 CET	49755	80	192.168.2.6	208.95.112.1
Jan 7, 2025 08:48:12.874703884 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:12.874730110 CET	443	49761	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:12.874794960 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:12.875874996 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:12.875883102 CET	443	49761	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:13.502954006 CET	443	49761	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:13.579615116 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:13.816772938 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:13.816798925 CET	443	49761	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:13.818178892 CET	443	49761	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:13.818202019 CET	443	49761	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:13.818253994 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:13.851531029 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:13.851787090 CET	443	49761	151.80.152.246	192.168.2.6
Jan 7, 2025 08:48:13.851850033 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:13.880456924 CET	49761	443	192.168.2.6	151.80.152.246
Jan 7, 2025 08:48:33.097560883 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:33.097604990 CET	443	49886	34.117.59.81	192.168.2.6
Jan 7, 2025 08:48:33.097734928 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:33.098530054 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:33.098545074 CET	443	49886	34.117.59.81	192.168.2.6
Jan 7, 2025 08:48:33.571523905 CET	443	49886	34.117.59.81	192.168.2.6
Jan 7, 2025 08:48:33.572448969 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:33.572460890 CET	443	49886	34.117.59.81	192.168.2.6
Jan 7, 2025 08:48:33.573498011 CET	443	49886	34.117.59.81	192.168.2.6
Jan 7, 2025 08:48:33.573575974 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:33.574716091 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:33.574848890 CET	443	49886	34.117.59.81	192.168.2.6
Jan 7, 2025 08:48:33.574903011 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:33.575242996 CET	49886	443	192.168.2.6	34.117.59.81
Jan 7, 2025 08:48:41.273293018 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:41.273314953 CET	443	49938	45.112.123.126	192.168.2.6
Jan 7, 2025 08:48:41.273387909 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:41.273825884 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:41.273839951 CET	443	49938	45.112.123.126	192.168.2.6
Jan 7, 2025 08:48:41.933573008 CET	443	49938	45.112.123.126	192.168.2.6
Jan 7, 2025 08:48:41.933989048 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:41.934006929 CET	443	49938	45.112.123.126	192.168.2.6
Jan 7, 2025 08:48:41.934899092 CET	443	49938	45.112.123.126	192.168.2.6
Jan 7, 2025 08:48:41.934972048 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:41.936156034 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:41.936279058 CET	443	49938	45.112.123.126	192.168.2.6
Jan 7, 2025 08:48:41.936300039 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:41.936335087 CET	49938	443	192.168.2.6	45.112.123.126
Jan 7, 2025 08:48:42.025039911 CET	49943	443	192.168.2.6	144.76.136.153
Jan 7, 2025 08:48:42.025079966 CET	443	49943	144.76.136.153	192.168.2.6
Jan 7, 2025 08:48:42.025161028 CET	49943	443	192.168.2.6	144.76.136.153
Jan 7, 2025 08:48:42.025623083 CET	49943	443	192.168.2.6	144.76.136.153
Jan 7, 2025 08:48:42.025636911 CET	443	49943	144.76.136.153	192.168.2.6
Jan 7, 2025 08:49:24.768923044 CET	443	49943	144.76.136.153	192.168.2.6
Jan 7, 2025 08:49:24.769174099 CET	49943	443	192.168.2.6	144.76.136.153
Jan 7, 2025 08:49:24.769242048 CET	49943	443	192.168.2.6	144.76.136.153
Jan 7, 2025 08:49:24.769258022 CET	443	49943	144.76.136.153	192.168.2.6

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 08:48:07.429990053 CET	64451	53	192.168.2.6	1.1.1.1
Jan 7, 2025 08:48:07.454803944 CET	53	64451	1.1.1.1	192.168.2.6
Jan 7, 2025 08:48:11.565023899 CET	61280	53	192.168.2.6	1.1.1.1
Jan 7, 2025 08:48:11.571553946 CET	53	61280	1.1.1.1	192.168.2.6
Jan 7, 2025 08:48:12.302392006 CET	53480	53	192.168.2.6	1.1.1.1
Jan 7, 2025 08:48:12.308986902 CET	53	53480	1.1.1.1	192.168.2.6
Jan 7, 2025 08:48:33.089885950 CET	56092	53	192.168.2.6	1.1.1.1
Jan 7, 2025 08:48:33.096765995 CET	53	56092	1.1.1.1	192.168.2.6
Jan 7, 2025 08:48:41.263360023 CET	61327	53	192.168.2.6	1.1.1.1
Jan 7, 2025 08:48:41.270886898 CET	53	61327	1.1.1.1	192.168.2.6
Jan 7, 2025 08:48:41.992436886 CET	55299	53	192.168.2.6	1.1.1.1
Jan 7, 2025 08:48:42.024147034 CET	53	55299	1.1.1.1	192.168.2.6

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 08:48:12.315340042 CET	167	OUT	GET /json/?fields=hosting,query HTTP/1.1 Host: ip-api.com User-Agent: python-requests/2.32.3 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Jan 7, 2025 08:48:12.781229973 CET	216	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 07:48:12 GMT Content-Type: application/json; charset=utf-8 Content-Length: 40 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 68 6f 73 74 69 6e 67 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"hosting":false,"query":"8.46.123.189"}

Target ID:	0
Start time:	02:47:56
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1.exe"
Imagebase:	0x7ff7e93a0000
File size:	25'435'744 bytes
MD5 hash:	3689DACE869ABBBE4E87F57078F6BEC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	02:48:00
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1.exe"
Imagebase:	0x7ff7e93a0000
File size:	25'435'744 bytes
MD5 hash:	3689DACE869ABBBE4E87F57078F6BEC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	02:48:03
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff789530000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	02:48:08
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get uuid
Imagebase:	0x7ff7f1cb0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	02:48:09
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
Imagebase:	0x7ff789530000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	02:48:12
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff789530000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	02:48:13
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "taskkill /f /im exodus.exe"
Imagebase:	0x7ff789530000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	02:48:14
Start date:	07/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im exodus.exe
Imagebase:	0x7ff6114d0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\AWGADYhKXN.zip

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Data.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Directories\Desktop.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Directories\Documents.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Directories\Downloads.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Directories\Music.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Directories\Pictures.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Directories\Videos.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\Errors.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\System\Antivirus.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\System\Applications.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\System\Tasklist.txt

C:\Users\user\AppData\Local\Temp\AWGADYhKXN\System\screenshot.png

C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI59682\Crypto\Cipher\_pkcs1_decode.pyd

Windows Analysis Report
1.exe

Target ID:	29
Start time:	02:48:16
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	31
Start time:	02:48:20
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	02:48:27
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get name
Imagebase:	0x7ff7f1cb0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	02:48:28
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7f1cb0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	37
Start time:	02:48:29
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get TotalPhysicalMemory
Imagebase:	0x7ff7f1cb0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	02:48:30
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff789530000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	73

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre