Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1585170
MD5:	3689dace869abbbe4e87f57078f6bec9
SHA1:	568f5a26f433d55c2628e3e3a5555a9046b19ee3
SHA256:	610f9a21f99667ede85d082521e7b8150b158b80bc1d13c4498ac095b2316255
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Found pyInstaller with non standard icon

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal communication platform credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

1.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 3689DACE869ABBBE4E87F57078F6BEC9)

1.exe (PID: 6008 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 3689DACE869ABBBE4E87F57078F6BEC9)

cmd.exe (PID: 3276 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4568 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 4688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1440 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6504 cmdline: C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5064 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6624 cmdline: C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5840 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6668 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6152 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 5660 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2072 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 5560 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3620 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cmd.exe (PID: 4028 cmdline: C:\Windows\system32\cmd.exe /c "taskkill /f /im exodus.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1440 cmdline: taskkill /f /im exodus.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

powershell.exe (PID: 6160 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5584 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4984 cmdline: wmic cpu get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2300 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4404 cmdline: wmic computersystem get TotalPhysicalMemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5776 cmdline: C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7124 cmdline: C:\Windows\System32\wbem\WMIC.exe csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cleanup

Sigma Signatures

Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\1.exe", ParentImage: C:\Users\user\Desktop\1.exe, ParentProcessId: 6008, ParentProcessName: 1.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 6668, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Get-Clipboard, CommandLine: powershell Get-Clipboard, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6668, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Get-Clipboard, ProcessId: 6152, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 1.exe	ReversingLabs: Detection: 50%
Source: 1.exe	Virustotal: Detection: 51%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Source: 1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036212878.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036604326.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: 1.exe, 00000000.00000003.2033316380.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034131917.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033108865.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035374269.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035915792.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036702135.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2030310399.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033524827.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 1.exe, 00000000.00000003.2030494414.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035544467.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035205300.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035791816.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033177993.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034682713.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: 1.exe, 00000000.00000003.2032963298.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033247099.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035711607.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034915497.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2030494414.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036888029.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033452321.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 1.exe, 00000000.00000003.2035294894.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034317373.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033032716.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035624504.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 1.exe, 00000000.00000003.2030310399.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32trace.pdb source: 1.exe, 00000000.00000003.2056254055.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036295660.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 1.exe, 00000000.00000003.2034058778.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 1.exe, 00000000.00000003.2034773015.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034211271.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036390732.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036977171.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035024973.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035463779.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035112936.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: 1.exe, 00000000.00000003.2033383204.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036488537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033795752.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: 1.exe, 00000000.00000003.2032881754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033639541.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035998878.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036795229.00000252636C5000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19579B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7E19579B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19585A0 FindFirstFileExW,FindClose,	0_2_00007FF7E19585A0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1970B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7E1970B84

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\pythonwin	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\win32	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ipinfo.io

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=hosting,query HTTP/1.1Host: ip-api.comUser-Agent: python-requests/2.32.3Accept-Encoding: gzip, deflateAccept: */*Connection: keep-alive

Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: idefasoft.fr
Source: global traffic	DNS traffic detected: DNS query: tiktok.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: transfer.sh

Source: 1.exe, 00000002.00000003.3035920928.0000017A3B63B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043851224.0000017A3B644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcp
Source: 1.exe, 00000002.00000003.3035036468.0000017A3BAE7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047292326.0000017A3BAC9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040787963.0000017A3A5B5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042535363.0000017A3B788000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042759887.0000017A3BA37000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041374609.0000017A3BB1B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061076963.0000017A3BACF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041546488.0000017A3BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032881754.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050331000.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032881754.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt
Source: 1.exe, 00000002.00000003.3042660136.0000017A3ADEF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076775219.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3049433453.0000017A3ABC5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035717266.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053378498.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058556484.0000017A3AAB2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048191712.0000017A3ABBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038202220.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2074696121.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048315405.0000017A3ADFD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047326892.0000017A3ADF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2078098059.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3050933300.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061688057.0000017A3AABD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2070576133.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041046094.0000017A3ABBD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2080221915.0000017A3ADDE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3ABBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: 1.exe, 00000002.00000003.3054737249.0000017A3ABD9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2070473934.0000017A3AC3A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041905028.0000017A3ABD5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076775219.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3049433453.0000017A3ABD9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076232061.0000017A3ABCA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2074696121.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046016318.0000017A3ABD9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2078098059.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038616443.0000017A3ABC9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042404909.0000017A3ABD8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059519843.0000017A3ABDD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2070576133.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076920432.0000017A3ABD2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3ABBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: 1.exe, 00000002.00000003.3061197450.0000017A3B705000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052626504.0000017A387A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051508240.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044166321.0000017A3B6E4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039691074.0000017A3B6E4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042600296.0000017A38790000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041937878.0000017A38778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 1.exe, 00000002.00000003.3054243290.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042437768.0000017A3B8A1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046937631.0000017A3B8A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: 1.exe, 00000002.00000003.3054243290.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl:z
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl4
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl=
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048578064.0000017A3BB92000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048578064.0000017A3BB92000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 1.exe, 00000002.00000003.3045170741.0000017A3BAA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032881754.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050331000.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 1.exe, 00000000.00000003.2032881754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl
Source: 1.exe, 00000002.00000003.3058967461.0000017A3BACE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045170741.0000017A3BAA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047292326.0000017A3BAC9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040787963.0000017A3A5B5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061076963.0000017A3BACF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044166321.0000017A3B6BB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062873353.0000017A3B6C0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039691074.0000017A3B6B7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035036468.0000017A3BAE7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042535363.0000017A3B788000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041374609.0000017A3BB1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058967461.0000017A3BACE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045012618.0000017A3AB36000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047456493.0000017A3BAAD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043146851.0000017A3BBB8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056719202.0000017A3BAAE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045170741.0000017A3BAA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058556484.0000017A3AAB2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047292326.0000017A3BAC9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061076963.0000017A3BACF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: 1.exe, 00000002.00000003.2076775219.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076232061.0000017A3ABCA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2074696121.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2078098059.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2070576133.0000017A3ABC0000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076920432.0000017A3ABD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: 1.exe, 00000002.00000003.3043851224.0000017A3B634000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036160557.0000017A3B62B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043908220.0000017A3B63A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: 1.exe, 00000002.00000003.3042660136.0000017A3ADEF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053077672.0000017A3AE11000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035717266.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038202220.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048315405.0000017A3ADFD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047326892.0000017A3ADF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3050933300.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056684147.0000017A3AE13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062055214.0000017A3BA38000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042759887.0000017A3BA37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042759887.0000017A3BA37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: powershell.exe, 0000001B.00000002.2298150124.000001CE3F072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284479122.000001CE30795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2298150124.000001CE3EF3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: 1.exe, 00000002.00000003.3052626504.0000017A387A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051508240.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042600296.0000017A38790000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041937878.0000017A38778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032881754.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032881754.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050331000.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000001B.00000002.2284479122.000001CE3070E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 1.exe, 00000002.00000003.3054243290.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: 1.exe, 00000002.00000003.3047456493.0000017A3BAAD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056719202.0000017A3BAAE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045170741.0000017A3BAA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/8B
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/Cd
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/CdSe
Source: 1.exe, 00000002.00000003.3054243290.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/en
Source: powershell.exe, 0000001B.00000002.2284479122.000001CE2EEC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1.exe, 00000002.00000003.3042660136.0000017A3ADEF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044166321.0000017A3B6BB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041546488.0000017A3B932000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053077672.0000017A3AE11000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035717266.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038202220.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039691074.0000017A3B6B7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048315405.0000017A3ADFD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047326892.0000017A3ADF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046492479.0000017A3B933000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3050933300.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056684147.0000017A3AE13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: 1.exe, 00000002.00000003.3052626504.0000017A387A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051508240.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042600296.0000017A38790000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041937878.0000017A38778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: powershell.exe, 0000001B.00000002.2284479122.000001CE3070E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043146851.0000017A3BBB8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047805687.0000017A3BBDB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058449892.0000017A3ADD4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035717266.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038202220.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047837548.0000017A3BBDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043146851.0000017A3BBB8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047805687.0000017A3BBDB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047837548.0000017A3BBDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/G
Source: 1.exe, 00000002.00000003.2067027877.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068286975.0000017A3ABB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067027877.0000017A3AB48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068023103.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: 1.exe, 00000002.00000003.3059592068.0000017A3BAF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046492479.0000017A3BA2B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062055214.0000017A3BA38000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035036468.0000017A3BAE7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042759887.0000017A3BA37000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041546488.0000017A3BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2051546160.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2049289450.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044118745.0000017A3BBEB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043146851.0000017A3BBB8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044779649.0000017A3BC07000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: 1.exe, 00000002.00000003.3061197450.0000017A3B705000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044166321.0000017A3B6E4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039691074.0000017A3B6E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: 1.exe, 00000002.00000003.2067027877.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067835413.0000017A3A76F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067085289.0000017A3A76E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: 1.exe, 00000002.00000003.3057024319.0000017A3BCEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftPGRAD~1.JSOy.z
Source: 1.exe, 00000002.00000003.2067027877.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068286975.0000017A3ABB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067027877.0000017A3AB48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068023103.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: 1.exe, 00000002.00000003.3053446059.0000017A3BC6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058225119.0000017A3BC6D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3060537279.0000017A3BC79000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042437768.0000017A3B8A1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056117482.0000017A3BC6D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058929431.0000017A3BC78000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046937631.0000017A3B8A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: 1.exe, 00000002.00000003.3040787963.0000017A3A5B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://MD8.mozilla.org/1/m
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000001B.00000002.2284479122.000001CE2EEC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://allegro.pl/
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: 1.exe, 00000002.00000003.3060113758.0000017A3BD48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2191949277.0000017A3BD47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://boxmatrix.info/wiki/Property:arping
Source: 1.exe, 00000002.00000003.2140790853.0000017A3CCED000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056117482.0000017A3BCBF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053446059.0000017A3BCBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://brew.sh
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054778444.0000017A3CDF3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2194817044.0000017A3CDF3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033363208.0000017A3CDF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/pypa/setuptools
Source: powershell.exe, 0000001B.00000002.2298150124.000001CE3EF3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001B.00000002.2298150124.000001CE3EF3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001B.00000002.2298150124.000001CE3EF3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/803025117553754132/815945031150993468
Source: 1.exe, 00000002.00000003.3058929431.0000017A3BC78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordverify.tech/webhooks/hyzen_exod/
Source: 1.exe, 00000002.00000003.3037056352.0000017A3A4FD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044385211.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041276011.0000017A3A536000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039609311.0000017A3A500000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039874939.0000017A3A52F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058622125.0000017A3A549000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046082292.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: 1.exe, 00000002.00000003.2066280806.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068345390.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076996776.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2066065840.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2075124048.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034959002.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2080508443.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040956293.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045780862.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067085289.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: 1.exe, 00000002.00000003.3041310003.0000017A3A66B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062686164.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045575233.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037789521.0000017A3A657000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051864023.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042279402.0000017A3A697000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040851429.0000017A3A668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: 1.exe, 00000002.00000003.3041310003.0000017A3A66B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062686164.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045575233.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037789521.0000017A3A657000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051864023.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042279402.0000017A3A697000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040851429.0000017A3A668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: 1.exe, 00000002.00000003.2076513899.0000017A3AD11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: 1.exe, 00000002.00000003.2076513899.0000017A3ACD2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076513899.0000017A3AD11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: 1.exe, 00000002.00000003.3054041207.0000017A3BA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 0000001B.00000002.2284479122.000001CE3070E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: 1.exe, 00000002.00000003.3060113758.0000017A3BD48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2191949277.0000017A3BD47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/ThomasHabets/arping
Source: 1.exe, 00000002.00000003.3041344247.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060985301.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 1.exe, 00000000.00000003.2052790145.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053042119.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030030525.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056376323.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055957694.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056254055.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056254055.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056078608.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/black
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/discussions
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/workflows/tests/badge.svg
Source: 1.exe, 00000002.00000003.2080221915.0000017A3ADDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: 1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 1.exe, 00000002.00000003.3041344247.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060985301.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061936176.0000017A3A65B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/863
Source: 1.exe, 00000002.00000003.3037056352.0000017A3A4FD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044385211.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041276011.0000017A3A536000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2064096224.0000017A3A6CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039609311.0000017A3A500000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2065358830.0000017A3A523000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2065201994.0000017A3A4EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2064210655.0000017A3A6D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061014733.0000017A3A54C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039874939.0000017A3A52F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058622125.0000017A3A549000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046082292.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: 1.exe, 00000002.00000003.3037789521.0000017A3A657000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2064902810.0000017A3A64D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2065830974.0000017A3A606000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067085289.0000017A3A606000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2066280806.0000017A3A606000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/863i
Source: 1.exe, 00000002.00000003.3041344247.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060985301.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: 1.exe, 00000002.00000003.3060055871.0000017A3AAEC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054041207.0000017A3BA90000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037864648.0000017A3A73B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061835558.0000017A3BA32000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052255260.0000017A3A753000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040956293.0000017A3A73C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034959002.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3060982470.0000017A3A75D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041120592.0000017A3A752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: 1.exe, 00000002.00000003.3060055871.0000017A3AAEC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061835558.0000017A3BA32000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: 1.exe, 00000002.00000003.3040787963.0000017A3A5B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: 1.exe, 00000002.00000003.3041120592.0000017A3A752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: 1.exe, 00000002.00000003.3054243290.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045012618.0000017A3AB36000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047456493.0000017A3BAAD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056719202.0000017A3BAAE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045170741.0000017A3BAA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: 1.exe, 00000002.00000003.3053812713.0000017A3B7F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2022-informational
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/discord/803025117553754132
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/setuptools.svg
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/setuptools.svg
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/readthedocs/setuptools/latest.svg
Source: 1.exe, 00000002.00000003.3037700559.0000017A3B60D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041153135.0000017A3A69D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3050933300.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040851429.0000017A3A668000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052774406.0000017A3B72B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2080221915.0000017A3ADDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: 1.exe, 00000002.00000003.3054041207.0000017A3BA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: powershell.exe, 0000001B.00000002.2298150124.000001CE3F072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284479122.000001CE30795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2298150124.000001CE3EF3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 1.exe, 00000002.00000003.3055082529.0000017A3B90B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053783116.0000017A3B6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: 1.exe, 00000002.00000003.3060113758.0000017A3BD48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2191949277.0000017A3BD47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packages.debian.org/sid/iputils-arping
Source: 1.exe, 00000002.00000003.3042660136.0000017A3ADEF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035717266.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053378498.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2080459542.0000017A3B691000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038202220.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048315405.0000017A3ADFD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047326892.0000017A3ADF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3050933300.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2080221915.0000017A3ADDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/installing/
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svg
Source: 1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: 1.exe, 00000002.00000003.3053812713.0000017A3B7F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/
Source: 1.exe, 00000002.00000003.2066280806.0000017A3A5BA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067027877.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2074696121.0000017A3AB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076775219.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053018848.0000017A3ABAB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2078098059.0000017A3AB50000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068023103.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041046094.0000017A3AB66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048191712.0000017A3ABAA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2066211223.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2070576133.0000017A3AB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AB50000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068641821.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3057121566.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053109367.0000017A3ABAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/stable/history.html
Source: 1.exe, 00000002.00000003.3041973003.0000017A3AC2A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051198994.0000017A3AC31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045012618.0000017A3AB50000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076513899.0000017A3ACD2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062217545.0000017A3AD16000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037571529.0000017A3AD06000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3AD06000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054419957.0000017A3AD0A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037789521.0000017A3A657000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044321974.0000017A3AD06000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038616443.0000017A3AC2A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048428339.0000017A3AC30000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2078098059.0000017A3AB50000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2078098059.0000017A3AC2A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3AC2A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041153135.0000017A3A69D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3049760226.0000017A3AD0A000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040851429.0000017A3A668000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AB50000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045224507.0000017A3AD07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: 1.exe, 00000002.00000003.2168054885.0000017A3D041000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2166742734.0000017A3CE10000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169489926.0000017A3CE10000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2173691185.0000017A3BDB6000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2173937925.0000017A3CE10000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169885308.0000017A3BDB6000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2174728029.0000017A3D041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: 1.exe, 00000002.00000003.2168838863.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192175449.0000017A3CE59000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054548134.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 1.exe, 00000002.00000003.2191949277.0000017A3BD80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2163066519.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055568442.0000017A3BD86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2168838863.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2174128521.0000017A3BD85000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2195041697.0000017A3BD84000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192175449.0000017A3CE59000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034581211.0000017A3BD7E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034616679.0000017A3BD84000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054548134.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: 1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047233307.0000017A3CD3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 1.exe, 00000002.00000003.2174728029.0000017A3D041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.orgw
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/github/pypa/setuptools?style=flat
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=readme
Source: 1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral
Source: 1.exe, 00000002.00000003.3058347091.0000017A3B6AE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053783116.0000017A3B6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: 1.exe, 00000002.00000003.3059592068.0000017A3BAF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046492479.0000017A3BA2B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062055214.0000017A3BA38000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035036468.0000017A3BAE7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042759887.0000017A3BA37000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041546488.0000017A3BA2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: 1.exe, 00000002.00000003.3054041207.0000017A3BA90000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037864648.0000017A3A73B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052255260.0000017A3A753000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040956293.0000017A3A73C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034959002.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3060982470.0000017A3A75D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041120592.0000017A3A752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://weibo.com/
Source: 1.exe, 00000002.00000003.3042251531.0000017A3A4B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041698267.0000017A3A4AD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037833269.0000017A3A4A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058185360.0000017A3A4B9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046206555.0000017A3A4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.ca/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.co.uk/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.fr/
Source: 1.exe, 00000000.00000003.2046396219.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: 1.exe, 00000000.00000003.2046478664.00000252636D3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2046396219.00000252636D3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2046396219.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.avito.ru/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.bbc.co.uk/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ctrip.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: 1.exe, 00000002.00000003.3035920928.0000017A3B63B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043851224.0000017A3B644000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058556484.0000017A3AAB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ifeng.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.iqiyi.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.leboncoin.fr/
Source: 1.exe, 00000002.00000003.3053446059.0000017A3BC6B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059592068.0000017A3BAF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058225119.0000017A3BC6D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3060537279.0000017A3BC6E000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035036468.0000017A3BAE7000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056117482.0000017A3BC6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.manpagez.com/man/8/networksetup/
Source: 1.exe, 00000002.00000003.2168054885.0000017A3D041000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2166742734.0000017A3CE10000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169489926.0000017A3CE10000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2173691185.0000017A3BDB6000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2173937925.0000017A3CE10000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169885308.0000017A3BDB6000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E448000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2174728029.0000017A3D041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 1.exe, 00000002.00000003.3033614121.0000017A3CE23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2163066519.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2193712911.0000017A3CE23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2168838863.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2173937925.0000017A3CE13000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054778444.0000017A3CE23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2166545220.0000017A3CE23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE23000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056035916.0000017A3CE24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 1.exe, 00000002.00000003.2168838863.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192175449.0000017A3CE59000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054548134.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 1.exe, 00000002.00000003.2163066519.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2168838863.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 1.exe, 00000002.00000003.2164573073.0000017A3CEB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2175029957.0000017A3D236000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2172953776.0000017A3CEB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2163066519.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2168838863.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 1.exe, 00000002.00000003.2145787875.0000017A3CE10000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
Source: 1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: 1.exe, 00000002.00000003.3056117482.0000017A3BC5F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3060537279.0000017A3BC67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/manmaster/man5/
Source: 1.exe, 00000002.00000003.3053812713.0000017A3B7F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: 1.exe, 00000002.00000003.3054041207.0000017A3BA90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: 1.exe, 00000002.00000003.2059927991.0000017A3A513000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2059853909.0000017A3A4FB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2059853909.0000017A3A50E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: 1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.zhihu.com/
Source: 1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052032179.0000017A3BBDC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043146851.0000017A3BBB8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047805687.0000017A3BBDB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052569220.0000017A3BBDD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: 1.exe, 00000002.00000003.3060055871.0000017A3AAEC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061835558.0000017A3BA32000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1975C74	0_2_00007FF7E1975C74
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E196FBD8	0_2_00007FF7E196FBD8
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1974F10	0_2_00007FF7E1974F10
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1951000	0_2_00007FF7E1951000
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1967AAC	0_2_00007FF7E1967AAC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1978A38	0_2_00007FF7E1978A38
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1961280	0_2_00007FF7E1961280
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1960A60	0_2_00007FF7E1960A60
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19691B0	0_2_00007FF7E19691B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E196D200	0_2_00007FF7E196D200
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E197518C	0_2_00007FF7E197518C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1962CC4	0_2_00007FF7E1962CC4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1961484	0_2_00007FF7E1961484
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1960C64	0_2_00007FF7E1960C64
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19733BC	0_2_00007FF7E19733BC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19673F4	0_2_00007FF7E19673F4
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1958B20	0_2_00007FF7E1958B20
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1970B84	0_2_00007FF7E1970B84
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1960E70	0_2_00007FF7E1960E70
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19595FB	0_2_00007FF7E19595FB
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E196CD6C	0_2_00007FF7E196CD6C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19628C0	0_2_00007FF7E19628C0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1965040	0_2_00007FF7E1965040
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E196D880	0_2_00007FF7E196D880
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1961074	0_2_00007FF7E1961074
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1959FCD	0_2_00007FF7E1959FCD
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E195979B	0_2_00007FF7E195979B
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1972F20	0_2_00007FF7E1972F20
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1975728	0_2_00007FF7E1975728
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1961F30	0_2_00007FF7E1961F30
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E196FBD8	0_2_00007FF7E196FBD8

Source: C:\Users\user\Desktop\1.exe

Code function: String function: 00007FF7E19525F0 appears 50 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: 1.exe, 00000000.00000003.2035711607.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2033177993.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2033383204.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2054355975.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1.exe
Source: 1.exe, 00000000.00000003.2036295660.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2050878278.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs 1.exe
Source: 1.exe, 00000000.00000003.2052790145.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom311.dll0 vs 1.exe
Source: 1.exe, 00000000.00000003.2036795229.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2036604326.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2030310399.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs 1.exe
Source: 1.exe, 00000000.00000003.2053931174.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs 1.exe
Source: 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2050481524.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs 1.exe
Source: 1.exe, 00000000.00000003.2035998878.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2030494414.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs 1.exe
Source: 1.exe, 00000000.00000003.2035294894.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2034682713.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2034317373.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2053042119.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes311.dll0 vs 1.exe
Source: 1.exe, 00000000.00000003.2030030525.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2036702135.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2032614855.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2056376323.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshell.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2033316380.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2034131917.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2036488537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2031871197.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2035205300.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2035544467.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2033452321.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2032754537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2034211271.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2036390732.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2035915792.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2055957694.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2033795752.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2035024973.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2035374269.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2056254055.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2056254055.00000252636D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2031707602.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2034915497.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2035112936.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2034773015.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2034058778.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2033108865.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2056078608.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32crypt.pyd0 vs 1.exe
Source: 1.exe, 00000000.00000003.2033524827.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2035463779.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2033032716.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2032963298.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2036212878.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2036977171.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2036888029.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2035624504.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2035791816.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2033639541.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe
Source: 1.exe, 00000000.00000003.2032881754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs 1.exe
Source: 1.exe, 00000000.00000003.2033247099.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1.exe

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@61/210@6/6

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E19529E0 GetLastError,FormatMessageW,MessageBoxW,

0_2_00007FF7E19529E0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI63922

Jump to behavior

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "exodus.exe")
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "exodus.exe")
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe	ReversingLabs: Detection: 50%
Source: 1.exe	Virustotal: Detection: 51%

Source: C:\Users\user\Desktop\1.exe

File read: C:\Users\user\Desktop\1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /f /im exodus.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get TotalPhysicalMemory
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /f /im exodus.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get TotalPhysicalMemory	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 1.exe

Static file information: File size 25435744 > 1048576

Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036212878.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036604326.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: 1.exe, 00000000.00000003.2033316380.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034131917.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033108865.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035374269.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035915792.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036702135.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2030310399.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: 1.exe, 00000000.00000003.2032268325.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033524827.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 1.exe, 00000000.00000003.2030494414.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035544467.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035205300.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035791816.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: 1.exe, 00000000.00000003.2032034410.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033177993.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034682713.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: 1.exe, 00000000.00000003.2032963298.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: 1.exe, 00000000.00000003.2030580754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033247099.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035711607.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: 1.exe, 00000000.00000003.2030676349.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034915497.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: 1.exe, 00000000.00000003.2032504071.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 1.exe, 00000000.00000003.2030494414.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036888029.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 1.exe, 00000000.00000003.2055498131.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033452321.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 1.exe, 00000000.00000003.2035294894.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034317373.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: 1.exe, 00000000.00000003.2032340551.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033032716.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035624504.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 1.exe, 00000000.00000003.2030310399.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-311\Release\win32trace.pdb source: 1.exe, 00000000.00000003.2056254055.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036295660.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 1.exe, 00000000.00000003.2034058778.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 1.exe, 00000000.00000003.2034773015.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: 1.exe, 00000000.00000003.2053191982.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 1.exe, 00000000.00000003.2034211271.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036390732.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036977171.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035024973.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035463779.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035112936.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: 1.exe, 00000000.00000003.2033383204.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: 1.exe, 00000000.00000003.2032159357.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036488537.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033795752.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: 1.exe, 00000000.00000003.2032881754.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: 1.exe, 00000000.00000003.2032425609.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 1.exe, 00000000.00000003.2033639541.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: 1.exe, 00000000.00000003.2051008596.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 1.exe, 00000000.00000003.2035998878.00000252636C5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 1.exe, 00000000.00000003.2036795229.00000252636C5000.00000004.00000020.00020000.00000000.sdmp

Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName	Jump to behavior

Source: api-ms-win-core-file-l1-2-0.dll.0.dr

Static PE information: 0x6A762B3D [Fri Aug 7 19:00:13 2026 UTC]

Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_00007FF846E219BB pushad ; ret		27_2_00007FF846E219C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 30_2_00007FF846E50D20 push eax; retf		30_2_00007FF846E50D4D

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\1.exe

Process created: "C:\Users\user\Desktop\1.exe"

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_webp.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imagingmath.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imagingcms.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imaging.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imagingtk.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Util\_cpuid_c.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E1956EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF7E1956EA0

Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\1.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3602
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1711
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3246
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 755
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3076
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 987

Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_webp.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imagingmath.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imagingcms.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imaging.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL\_imagingtk.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Util\_cpuid_c.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\1.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17039

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188	Thread sleep count: 3602 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6048	Thread sleep count: 1711 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4088	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 344	Thread sleep count: 3246 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 344	Thread sleep count: 755 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3220	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972	Thread sleep count: 3076 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768	Thread sleep count: 987 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1248	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\1.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19579B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF7E19579B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E19585A0 FindFirstFileExW,FindClose,	0_2_00007FF7E19585A0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1970B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7E1970B84

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\pythonwin	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\win32	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior

Source: 1.exe, 00000000.00000003.2038864150.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: 1.exe, 00000002.00000003.3037789521.0000017A3A657000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076996776.0000017A3A699000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2075124048.0000017A3A69D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041153135.0000017A3A69D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067085289.0000017A3A69D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040851429.0000017A3A668000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2065830974.0000017A3A69D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2066280806.0000017A3A69D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz

Source: C:\Users\user\Desktop\1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E1969924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7E1969924

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E1972790 GetProcessHeap,

0_2_00007FF7E1972790

Source: C:\Users\user\Desktop\1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E1969924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E1969924
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E195C44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7E195C44C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E195BBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7E195BBC0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_00007FF7E195C62C SetUnhandledExceptionFilter,	0_2_00007FF7E195C62C

Source: C:\Users\user\Desktop\1.exe	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "taskkill /f /im exodus.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get TotalPhysicalMemory	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /f /im exodus.exe

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E1978880 cpuid

0_2_00007FF7E1978880

Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\PIL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-file-l2-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-handle-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-heap-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-interlocked-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-libraryloader-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-memory-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processenvironment-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-processthreads-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-core-profile-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-math-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-multibyte-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-process-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-stdio-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-string-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\api-ms-win-crt-utility-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\python3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32\pywintypes311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32\pythoncom311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922\cryptography-43.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\Desktop\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI63922 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E195C330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7E195C330

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_00007FF7E1974F10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7E1974F10

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 1.exe, 00000002.00000003.2140609288.0000017A3BD78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
Source: 1.exe, 00000002.00000003.2140609288.0000017A3BD78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet1
Source: 1.exe, 00000002.00000003.2140609288.0000017A3BD78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: 1.exe, 00000002.00000003.3053446059.0000017A3BC6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: async setPassphrase(e){const embed={color:3553599,title:"Exodus Injection",fields:[{name:"Passwords:",value:`${e}
Source: 1.exe, 00000002.00000003.2140609288.0000017A3BD78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore
Source: 1.exe, 00000002.00000003.2140609288.0000017A3BD78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: 1.exe, 00000002.00000003.2140609288.0000017A3BD78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystore

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	31 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	2 File and Directory Discovery	Remote Desktop Protocol	4 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	34 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 Timestomp	NTDS	61 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Modify Registry	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.exe	50%	ReversingLabs	Win64.Trojan.ReverseShell
1.exe	51%	Virustotal		Browse
1.exe	100%	Avira	TR/PSW.Agent.buior

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI63922\Cryptodome\Hash\_RIPEMD160.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.microsoftPGRAD~1.JSOy.z	0%	Avira URL Cloud	safe
https://discordverify.tech/webhooks/hyzen_exod/	0%	Avira URL Cloud	safe
http://repository.swisssign.com/Cd	0%	Avira URL Cloud	safe
https://tidelift.com/security	0%	Avira URL Cloud	safe
https://boxmatrix.info/wiki/Property:arping	0%	Avira URL Cloud	safe
http://repository.swisssign.com/en	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
idefasoft.fr	151.80.152.246	true	false	unknown
tiktok.com	18.66.112.128	true	false	high
ipinfo.io	34.117.59.81	true	false	high
ip-api.com	208.95.112.1	true	false	high
transfer.sh	144.76.136.153	true	false	high
api.gofile.io	45.112.123.126	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/?fields=hosting,query	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://aka.ms/vcp	1.exe, 00000002.00000003.3035920928.0000017A3B63B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043851224.0000017A3B644000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf	1.exe, 00000002.00000003.3055082529.0000017A3B90B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053783116.0000017A3B6AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avito.ru/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2022-informational	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	1.exe, 00000000.00000003.2052790145.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2053042119.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2030030525.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056376323.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2055957694.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056254055.00000252636C5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056254055.00000252636D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2056078608.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ctrip.com/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/pyversions/setuptools.svg	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/v/setuptools.svg	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl4	1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/library/unittest.html	1.exe, 00000002.00000003.3043851224.0000017A3B634000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036160557.0000017A3B62B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043908220.0000017A3B63A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	1.exe, 00000002.00000003.3041344247.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060985301.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.leboncoin.fr/	1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl=	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/actions?query=workflow%3ACI	1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/security	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	1.exe, 00000002.00000003.3058347091.0000017A3B6AE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053783116.0000017A3B6AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	1.exe, 00000000.00000003.2046478664.00000252636D3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2046396219.00000252636D3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.2046396219.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	1.exe, 00000002.00000003.3037056352.0000017A3A4FD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044385211.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041276011.0000017A3A536000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039609311.0000017A3A500000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039874939.0000017A3A52F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058622125.0000017A3A549000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046082292.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://weibo.com/	1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/Cd	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoftPGRAD~1.JSOy.z	1.exe, 00000002.00000003.3057024319.0000017A3BCEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pypi.org/project/setuptools	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/workflows/tests/badge.svg	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000001B.00000002.2298150124.000001CE3F072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284479122.000001CE30795000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2298150124.000001CE3EF3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	1.exe, 00000002.00000003.3052626504.0000017A387A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051508240.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042600296.0000017A38790000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041937878.0000017A38778000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.reddit.com/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://packages.debian.org/sid/iputils-arping	1.exe, 00000002.00000003.3060113758.0000017A3BD48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2191949277.0000017A3BD47000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000001B.00000002.2284479122.000001CE2EEC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.ca/	1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/863i	1.exe, 00000002.00000003.3037789521.0000017A3A657000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2064902810.0000017A3A64D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2065830974.0000017A3A606000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067085289.0000017A3A606000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2066280806.0000017A3A606000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discordverify.tech/webhooks/hyzen_exod/	1.exe, 00000002.00000003.3058929431.0000017A3BC78000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/pprint.html	1.exe, 00000002.00000003.3041310003.0000017A3A66B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3062686164.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045575233.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037789521.0000017A3A657000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051864023.0000017A3A698000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042279402.0000017A3A697000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040851429.0000017A3A668000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ebay.co.uk/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	1.exe, 00000002.00000003.3054243290.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045012618.0000017A3AB36000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047456493.0000017A3BAAD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056719202.0000017A3BAAE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045170741.0000017A3BAA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000001B.00000002.2284479122.000001CE3070E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	1.exe, 00000002.00000003.2066280806.0000017A3A5BA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067027877.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2074696121.0000017A3AB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076775219.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053018848.0000017A3ABAB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2078098059.0000017A3AB50000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068023103.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041046094.0000017A3AB66000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048191712.0000017A3ABAA000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2066211223.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2070576133.0000017A3AB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AB50000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068641821.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3057121566.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053109367.0000017A3ABAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ebay.de/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000001B.00000002.2284479122.000001CE3070E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	1.exe, 00000002.00000003.3041344247.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060985301.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/	1.exe, 00000002.00000003.2176480211.0000017A3E3EC000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	1.exe, 00000002.00000003.3037056352.0000017A3A4FD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3044385211.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041276011.0000017A3A536000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2064096224.0000017A3A6CB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039609311.0000017A3A500000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2065358830.0000017A3A523000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2065201994.0000017A3A4EC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2064210655.0000017A3A6D2000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061014733.0000017A3A54C000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3039874939.0000017A3A52F000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058622125.0000017A3A549000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046082292.0000017A3A537000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000001B.00000002.2298150124.000001CE3EF3B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://httpbin.org/	1.exe, 00000002.00000003.3041120592.0000017A3A752000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	1.exe, 00000000.00000003.2046396219.00000252636C5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052032179.0000017A3BBDC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043146851.0000017A3BBB8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047805687.0000017A3BBDB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3052569220.0000017A3BBDD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://codecov.io/gh/pypa/setuptools	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	1.exe, 00000002.00000003.2067027877.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068286975.0000017A3ABB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067027877.0000017A3AB48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068023103.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/863	1.exe, 00000002.00000003.3040522447.0000017A3A658000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061936176.0000017A3A65B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	1.exe, 00000002.00000003.2168838863.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2145787875.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192175449.0000017A3CE59000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054548134.0000017A3CE5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://allegro.pl/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 0000001B.00000002.2284479122.000001CE3070E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042759887.0000017A3BA37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	1.exe, 00000002.00000003.3041344247.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060985301.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/en	1.exe, 00000002.00000003.3054243290.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033943293.0000017A3B776000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://MD8.mozilla.org/1/m	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brew.sh	1.exe, 00000002.00000003.2140790853.0000017A3CCED000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056117482.0000017A3BCBF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053446059.0000017A3BCBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/multiprocessing.html	1.exe, 00000002.00000003.2066280806.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068345390.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2076996776.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2066065840.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2075124048.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034959002.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2080508443.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3040956293.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3045780862.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067085289.0000017A3A726000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html	1.exe, 00000002.00000003.2076513899.0000017A3AD11000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wiki.debian.org/XDGBaseDirectorySpecification#state	1.exe, 00000002.00000003.3042251531.0000017A3A4B4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041698267.0000017A3A4AD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037833269.0000017A3A4A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058185360.0000017A3A4B9000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3046206555.0000017A3A4B5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	1.exe, 00000002.00000003.3040787963.0000017A3A5B5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugzilla.mo	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3054778444.0000017A3CDF3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2194817044.0000017A3CDF3000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3033363208.0000017A3CDF3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	1.exe, 00000002.00000003.3052626504.0000017A387A8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051508240.0000017A38798000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042600296.0000017A38790000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3041937878.0000017A38778000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/security/	1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	1.exe, 00000002.00000003.3045170741.0000017A3BAA5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042333473.0000017A3BA96000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	1.exe, 00000002.00000003.2165342258.0000017A3CE83000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047233307.0000017A3CD3C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043146851.0000017A3BBB8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047805687.0000017A3BBDB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3058449892.0000017A3ADD4000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035717266.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038202220.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047837548.0000017A3BBDF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://boxmatrix.info/wiki/Property:arping	1.exe, 00000002.00000003.3060113758.0000017A3BD48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2191949277.0000017A3BD47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	1.exe, 00000002.00000003.3060055871.0000017A3AAEC000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037300715.0000017A3BA31000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3061835558.0000017A3BA32000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es00	1.exe, 00000002.00000003.3032955332.0000017A3BB80000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3037365734.0000017A3BB86000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043762058.0000017A3BB97000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3042914244.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3051462731.0000017A3AB19000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3036275094.0000017A3AAE8000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3043668790.0000017A3BB88000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	1.exe, 00000002.00000003.2060791331.0000017A387B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	1.exe, 00000002.00000003.2067027877.0000017A3AB87000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068286975.0000017A3ABB1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2067027877.0000017A3AB48000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2068023103.0000017A3ABAF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.iqiyi.com/	1.exe, 00000002.00000003.2176480211.0000017A3E35C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/cryptography/badge/?version=latest	1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3059885909.0000017A3B85B000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/installing/	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	1.exe, 00000002.00000003.3042660136.0000017A3ADEF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3034119233.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3053077672.0000017A3AE11000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3035717266.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3038202220.0000017A3ADCF000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3048315405.0000017A3ADFD000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3047326892.0000017A3ADF5000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3050933300.0000017A3ADFE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.3056684147.0000017A3AE13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	1.exe, 00000002.00000003.3054041207.0000017A3BA90000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc5869	1.exe, 00000002.00000003.3055639190.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2140689222.0000017A3B833000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2192359839.0000017A3B840000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2165760063.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2169324166.0000017A3B841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/psf/black	1.exe, 00000000.00000003.2053462914.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography	1.exe, 00000000.00000003.2045586111.00000252636C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	1.exe, 00000002.00000003.2059927991.0000017A3A513000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2059853909.0000017A3A4FB000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000002.00000003.2059853909.0000017A3A50E000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
144.76.136.153	transfer.sh	Germany	24940	HETZNER-ASDE	false
18.66.112.128	tiktok.com	United States	3	MIT-GATEWAYSUS	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
151.80.152.246	idefasoft.fr	Italy	16276	OVHFR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585170
Start date and time:	2025-01-07 08:57:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.exe
Detection:	MAL
Classification:	mal96.spyw.evad.winEXE@61/210@6/6
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 68
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 5584 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6160 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	SharkHack.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	paint.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	DownloadedMessage.zip	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	Pralevia Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	34.117.59.81
ip-api.com	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIT-GATEWAYSUS	miori.x86.elf	Get hash	malicious	Unknown	Browse	18.43.155.129
	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	18.66.102.79
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	18.173.205.50
	sh4.elf	Get hash	malicious	Mirai	Browse	19.44.195.99
	arm4.elf	Get hash	malicious	Mirai	Browse	19.240.78.71
	ppc.elf	Get hash	malicious	Mirai	Browse	18.66.1.18
	w3245.exe	Get hash	malicious	Unknown	Browse	18.173.219.113
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	18.66.102.51
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	18.66.102.51
HETZNER-ASDE	miori.x86.elf	Get hash	malicious	Unknown	Browse	144.79.65.29
	sfqbr.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	94.130.22.61
	http://yamjoop.site	Get hash	malicious	Unknown	Browse	116.203.80.157
	ZipThis.exe	Get hash	malicious	Unknown	Browse	5.161.105.73
	https://tfeweb.co.uk/signoff	Get hash	malicious	Unknown	Browse	144.76.9.200
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	136.243.225.5
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	88.198.57.50
	http://www.housepricesintheuk.co.uk	Get hash	malicious	Unknown	Browse	178.63.241.79
	getscreen-524501439-x86.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
TUT-ASUS	YPzNsfg4nR.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SAL987656700.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	BootstrapperV1.16.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	SharkHack.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	paint.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_ARC4.pyd	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse
	vj0Vxt8xM4.exe	Get hash	malicious	Unknown	Browse
	snmpapi.exe	Get hash	malicious	Braodo	Browse
	snmpapi.exe	Get hash	malicious	Braodo	Browse
	54Oa5PcvK1.exe	Get hash	malicious	Unknown	Browse
	LmZVhGD5jF.exe	Get hash	malicious	Unknown	Browse
	zW72x5d91l.bat	Get hash	malicious	Unknown	Browse
	7EznMik8Fw.exe	Get hash	malicious	Python Stealer	Browse
	MkWMm5piE5.exe	Get hash	malicious	Python Stealer	Browse

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Users\user\Desktop\1.exe
File Type:	Zip archive data, at least v6.3 to extract, compression method=AES Encrypted
Category:	dropped
Size (bytes):	479520
Entropy (8bit):	7.999416306001282
Encrypted:	true
SSDEEP:	12288:2EiLL08Y8sCUzL8q3EMcgZKNkBGAE0KP7Wpr29r:2X/yCUzQq3EM3ZKNTAyPipi1
MD5:	0F9D684CAD433B5C27475CAA9EB465B9
SHA1:	8EDFA1EEEAB65FFFCF09A51D7E33797F00C2235B
SHA-256:	DFFDB67E254653A3D6EB0CB32946575A32115A71B03CFE8CE4B1F49C058EA93D
SHA-512:	10BB69DBC733B3EE3E90113D269F18D57EA11FD37875453E593B3BC5C0D2010184756A80B2B5781735AC2D2EE71E73265FEE800855A4C70947DD522AFE41B171
Malicious:	false
Preview:	PK..?...c.Y.'Z.fs~............KRCrnheJsk/Data.txt......AE...%.+La.'..pV=l.,@./....QL..y.Y....+7.O...q....C.K.7..oW..eCY.-.UN........%.c]s.&....C.....2i..-.0.~.eI.`..O.O...q..nr.];.".+.8..`...Q.24..4]_.g1.(....p.I.....f.......HZ.\|1O69%..D.SR...TP.d.vd;E....rfR<.^....[..U.a........t..{`.'/P.i#PK..?...c.Y.'ZPU..f...l.......KRCrnheJsk/Errors.txt......AE...AQl....W}.eh.....Ic(.a_..=..ZFf.v.V..CY..8@o.J...1..s....p.2.H..".<.bS.?..O.d.....jo..U....U.6y.H..7.&..?.....,..h..h..5n...^.H.....9.\|."[[.n.....@......>4.8...2.e.a#....H....Yi@."dZm.Kl.H...;<.*u3f<=.BC3.Z.i........f..-.B;......3....1._. ..p...^V..zu.00>..Rf.p....#....#...k..h....O==.-r..D"..Dq/S.30.E...C................_q9...U:e.....!W}.p.,O..$N......>r.6Y.i.!.G+...........HX...3]d.?.m [.B.._.....}.~.....SdR..q..R...X.........en..H.I...&[.Udz........z...u'.N...o..m..>.!.[.SW....(Rr...""$....g....:C7.....Y.@#.xeQ.Z..4...........iL..'.;1tCT.].S8...~.O'Bw\P.q......6.B...\|h.....[..D.'

Process:	C:\Windows\System32\taskkill.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.261043983337285
Encrypted:	false
SSDEEP:	3:RLg9duHAFmLKUe9y:RLg9dugMe9y
MD5:	AD2E5CC5CADCC56B8446CE435BD42CE4
SHA1:	263793D122F1837B8916BF8623FE5AB4202E1131
SHA-256:	78609DB3A08FA8D24F189A78895E9E5D49580969F42692E466652EF04EB254B2
SHA-512:	A66C94FF4709245AD3F37DE98C9418D4AA1AEBE8EC234984E2BD6D80D6E76F7ABD70C0D357722714BB0C355716AFF3CB20970C01BE5FB4453AA3E5A523C9131E
Malicious:	false
Preview:	ERROR: The process "exodus.exe" not found...

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.997371210548079
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1.exe
File size:	25'435'744 bytes
MD5:	3689dace869abbbe4e87f57078f6bec9
SHA1:	568f5a26f433d55c2628e3e3a5555a9046b19ee3
SHA256:	610f9a21f99667ede85d082521e7b8150b158b80bc1d13c4498ac095b2316255
SHA512:	07f18aaa4119df6a7711a8b21157e15473f2b2654fea6eb426857f745cc1b45eb22646c1f754f47cfd07b43b1840d3d31a9762f9354e9db10f06d82552034d2e
SSDEEP:	393216:nEkQnvgKeQtss27CyDgPYVnNSMtW+eGQRJ93iObIhRS/DW3L8rpJ4s3E6spdp0w:nqjeQtspDgPQHW+e5RT9MhRD3Y9GQIZ
TLSH:	3247331742624962F9A4013F5006C6245A31AC1177ACF2FA9FB5F8552BFFFAE8A31F44
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d..

Entrypoint:	0x14000c0d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B0ECA1 [Mon Aug 5 15:15:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	456e8615ad4320c9f54e50319a19df9c

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0xce34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x46000	0x2208	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x56000	0x768	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39dc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39c80	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x450	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29210	0x29400	aca64598002ecff9eefbc96554edf015	False	0.5511067708333334	data	6.4784482217419175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12642	0x12800	66146420f548cf2acca472542a84c0d8	False	0.5245460304054054	data	5.750861752432239	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x73d8	0xe00	d0a288978c66419b180b35f625b6dce7	False	0.13532366071428573	data	1.8378139998458343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x46000	0x2208	0x2400	74cf3ea22e0a1756984435d6f80f7da5	False	0.4671223958333333	data	5.259201915045256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0xce34	0xd000	d717912eb54292316bc235b3159acb50	False	0.042367788461538464	data	3.816041843179243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x56000	0x768	0x800	71de9271648326ec88350e903470cf3e	False	0.5576171875	data	5.283119454571673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x490e8	0xc828	Device independent bitmap graphic, 128 x 256 x 24, image size 51200	0.02777127244340359
RT_GROUP_ICON	0x55910	0x14	data	1.15
RT_MANIFEST	0x55924	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

DLL	Import
USER32.dll	CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 08:58:09.112235069 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:09.112281084 CET	443	49705	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:09.112354040 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:09.113255024 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:09.113269091 CET	443	49705	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:09.762650967 CET	443	49705	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:09.763458967 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:09.763479948 CET	443	49705	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:09.764620066 CET	443	49705	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:09.764686108 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:09.766285896 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:09.766417027 CET	443	49705	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:09.766454935 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:09.766477108 CET	49705	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:11.566139936 CET	49706	443	192.168.2.5	18.66.112.128
Jan 7, 2025 08:58:11.566175938 CET	443	49706	18.66.112.128	192.168.2.5
Jan 7, 2025 08:58:11.566245079 CET	49706	443	192.168.2.5	18.66.112.128
Jan 7, 2025 08:58:11.566546917 CET	49706	443	192.168.2.5	18.66.112.128
Jan 7, 2025 08:58:11.566560984 CET	443	49706	18.66.112.128	192.168.2.5
Jan 7, 2025 08:58:12.283132076 CET	443	49706	18.66.112.128	192.168.2.5
Jan 7, 2025 08:58:12.283688068 CET	49706	443	192.168.2.5	18.66.112.128
Jan 7, 2025 08:58:12.283706903 CET	443	49706	18.66.112.128	192.168.2.5
Jan 7, 2025 08:58:12.284651041 CET	443	49706	18.66.112.128	192.168.2.5
Jan 7, 2025 08:58:12.284725904 CET	49706	443	192.168.2.5	18.66.112.128
Jan 7, 2025 08:58:12.286000013 CET	49706	443	192.168.2.5	18.66.112.128
Jan 7, 2025 08:58:12.286058903 CET	443	49706	18.66.112.128	192.168.2.5
Jan 7, 2025 08:58:12.286134958 CET	49706	443	192.168.2.5	18.66.112.128
Jan 7, 2025 08:58:12.300324917 CET	49707	80	192.168.2.5	208.95.112.1
Jan 7, 2025 08:58:12.305087090 CET	80	49707	208.95.112.1	192.168.2.5
Jan 7, 2025 08:58:12.305280924 CET	49707	80	192.168.2.5	208.95.112.1
Jan 7, 2025 08:58:12.305280924 CET	49707	80	192.168.2.5	208.95.112.1
Jan 7, 2025 08:58:12.310164928 CET	80	49707	208.95.112.1	192.168.2.5
Jan 7, 2025 08:58:12.779674053 CET	80	49707	208.95.112.1	192.168.2.5
Jan 7, 2025 08:58:12.780862093 CET	49707	80	192.168.2.5	208.95.112.1
Jan 7, 2025 08:58:12.785887957 CET	80	49707	208.95.112.1	192.168.2.5
Jan 7, 2025 08:58:12.785948038 CET	49707	80	192.168.2.5	208.95.112.1
Jan 7, 2025 08:58:12.843286037 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:12.843318939 CET	443	49708	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:12.843422890 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:12.844085932 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:12.844095945 CET	443	49708	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:13.488126993 CET	443	49708	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:13.493922949 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:13.493937016 CET	443	49708	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:13.494997025 CET	443	49708	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:13.495058060 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:13.513442039 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:13.513572931 CET	443	49708	151.80.152.246	192.168.2.5
Jan 7, 2025 08:58:13.513629913 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:13.601749897 CET	49708	443	192.168.2.5	151.80.152.246
Jan 7, 2025 08:58:51.023834944 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:51.023863077 CET	443	49899	34.117.59.81	192.168.2.5
Jan 7, 2025 08:58:51.023972988 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:51.024591923 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:51.024605036 CET	443	49899	34.117.59.81	192.168.2.5
Jan 7, 2025 08:58:51.494031906 CET	443	49899	34.117.59.81	192.168.2.5
Jan 7, 2025 08:58:51.498528004 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:51.498562098 CET	443	49899	34.117.59.81	192.168.2.5
Jan 7, 2025 08:58:51.499913931 CET	443	49899	34.117.59.81	192.168.2.5
Jan 7, 2025 08:58:51.499996901 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:51.501247883 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:51.501373053 CET	443	49899	34.117.59.81	192.168.2.5
Jan 7, 2025 08:58:51.501424074 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:51.501508951 CET	49899	443	192.168.2.5	34.117.59.81
Jan 7, 2025 08:58:58.512028933 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:58.512058020 CET	443	49947	45.112.123.126	192.168.2.5
Jan 7, 2025 08:58:58.512243032 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:58.512711048 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:58.512721062 CET	443	49947	45.112.123.126	192.168.2.5
Jan 7, 2025 08:58:59.164007902 CET	443	49947	45.112.123.126	192.168.2.5
Jan 7, 2025 08:58:59.167896032 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:59.167912960 CET	443	49947	45.112.123.126	192.168.2.5
Jan 7, 2025 08:58:59.168792009 CET	443	49947	45.112.123.126	192.168.2.5
Jan 7, 2025 08:58:59.168878078 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:59.169861078 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:59.169985056 CET	443	49947	45.112.123.126	192.168.2.5
Jan 7, 2025 08:58:59.170010090 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:59.170036077 CET	49947	443	192.168.2.5	45.112.123.126
Jan 7, 2025 08:58:59.217757940 CET	49952	443	192.168.2.5	144.76.136.153
Jan 7, 2025 08:58:59.217843056 CET	443	49952	144.76.136.153	192.168.2.5
Jan 7, 2025 08:58:59.217930079 CET	49952	443	192.168.2.5	144.76.136.153
Jan 7, 2025 08:58:59.218295097 CET	49952	443	192.168.2.5	144.76.136.153
Jan 7, 2025 08:58:59.218343019 CET	443	49952	144.76.136.153	192.168.2.5
Jan 7, 2025 08:59:41.956304073 CET	443	49952	144.76.136.153	192.168.2.5
Jan 7, 2025 08:59:41.956433058 CET	49952	443	192.168.2.5	144.76.136.153
Jan 7, 2025 08:59:41.956618071 CET	49952	443	192.168.2.5	144.76.136.153
Jan 7, 2025 08:59:41.956639051 CET	443	49952	144.76.136.153	192.168.2.5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 08:58:08.649430037 CET	58359	53	192.168.2.5	1.1.1.1
Jan 7, 2025 08:58:08.667754889 CET	53	58359	1.1.1.1	192.168.2.5
Jan 7, 2025 08:58:11.556544065 CET	57137	53	192.168.2.5	1.1.1.1
Jan 7, 2025 08:58:11.564739943 CET	53	57137	1.1.1.1	192.168.2.5
Jan 7, 2025 08:58:12.292103052 CET	59328	53	192.168.2.5	1.1.1.1
Jan 7, 2025 08:58:12.299335957 CET	53	59328	1.1.1.1	192.168.2.5
Jan 7, 2025 08:58:51.015739918 CET	54429	53	192.168.2.5	1.1.1.1
Jan 7, 2025 08:58:51.023191929 CET	53	54429	1.1.1.1	192.168.2.5
Jan 7, 2025 08:58:58.502762079 CET	62135	53	192.168.2.5	1.1.1.1
Jan 7, 2025 08:58:58.510498047 CET	53	62135	1.1.1.1	192.168.2.5
Jan 7, 2025 08:58:59.173086882 CET	57680	53	192.168.2.5	1.1.1.1
Jan 7, 2025 08:58:59.217051029 CET	53	57680	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 08:58:12.305280924 CET	167	OUT	GET /json/?fields=hosting,query HTTP/1.1 Host: ip-api.com User-Agent: python-requests/2.32.3 Accept-Encoding: gzip, deflate Accept: / Connection: keep-alive
Jan 7, 2025 08:58:12.779674053 CET	216	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 07:58:12 GMT Content-Type: application/json; charset=utf-8 Content-Length: 40 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 68 6f 73 74 69 6e 67 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"hosting":false,"query":"8.46.123.189"}

Target ID:	0
Start time:	02:57:59
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1.exe"
Imagebase:	0x7ff7e1950000
File size:	25'435'744 bytes
MD5 hash:	3689DACE869ABBBE4E87F57078F6BEC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	02:58:03
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1.exe"
Imagebase:	0x7ff7e1950000
File size:	25'435'744 bytes
MD5 hash:	3689DACE869ABBBE4E87F57078F6BEC9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	02:58:05
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff7f3620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	02:58:08
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff62e690000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	02:58:09
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
Imagebase:	0x7ff7f3620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	02:58:11
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
Imagebase:	0x7ff7f3620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	02:58:12
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "taskkill /f /im exodus.exe"
Imagebase:	0x7ff7f3620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	02:58:13
Start date:	07/01/2025
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /f /im exodus.exe
Imagebase:	0x7ff7daef0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\KRCrnheJsk.zip

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Data.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Directories\Desktop.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Directories\Documents.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Directories\Downloads.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Directories\Music.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Directories\Pictures.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Directories\Videos.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\Errors.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\System\Antivirus.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\System\Applications.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\System\Tasklist.txt

C:\Users\user\AppData\Local\Temp\KRCrnheJsk\System\screenshot.png

C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI63922\Crypto\Cipher\_pkcs1_decode.pyd

Windows Analysis Report
1.exe

Target ID:	27
Start time:	02:58:14
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	02:58:15
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	02:58:27
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	02:58:45
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get name
Imagebase:	0x7ff62e690000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	02:58:46
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff62e690000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	37
Start time:	02:58:47
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get TotalPhysicalMemory
Imagebase:	0x7ff62e690000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	39
Start time:	02:58:48
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
Imagebase:	0x7ff7f3620000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	57

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre