Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1585585
MD5:	9d60674507ea97985c7e3b08d610f8d7
SHA1:	1fccf49236815c14c5ae08adb8d1b23846051b2d
SHA256:	711cd08835add9feecdd4afcfb8df8370fe98c22969fa2cb0cc010a8c8e25d12
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

CStealer

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected CStealer

Yara detected Telegram RAT

AI detected suspicious sample

Drops password protected ZIP file

Found pyInstaller with non standard icon

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

random.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 9D60674507EA97985C7E3B08D610F8D7)

Devis.exe (PID: 8172 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe" MD5: DF512D4AF07ADDF48EB621469C68A001)

cmd.exe (PID: 5824 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DynamicStealer	Dynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it.	No Attribution	https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dynamicstealer

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7016091731:AAE5Nyv-uzsZ7PjXljxbSv9-kk6qJEIFAso/sendMessage"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Log Report (user).cs	JoeSecurity_CStealer	Yara detected CStealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CStealer	Yara detected CStealer	Joe Security
00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CStealer	Yara detected CStealer	Joe Security
00000009.00000003.2136532382.000001432FF48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CStealer	Yara detected CStealer	Joe Security
00000009.00000003.2142621910.000001432FF58000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CStealer	Yara detected CStealer	Joe Security
00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CStealer	Yara detected CStealer	Joe Security
00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CStealer	Yara detected CStealer	Joe Security
Process Memory Space: Devis.exe PID: 8172	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Devis.exe PID: 8172	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Devis.exe PID: 8172	JoeSecurity_CStealer	Yara detected CStealer	Joe Security
Click to see the 12 entries

Code function: 0_2_00007FF7332BC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7332BC2F0

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D3484	0_2_00007FF7332D3484
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332CA4AC	0_2_00007FF7332CA4AC
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332DB190	0_2_00007FF7332DB190
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E0754	0_2_00007FF7332E0754
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332BF930	0_2_00007FF7332BF930
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332C4928	0_2_00007FF7332C4928
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D1F20	0_2_00007FF7332D1F20
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332B5E24	0_2_00007FF7332B5E24
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332DCE88	0_2_00007FF7332DCE88
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D53F0	0_2_00007FF7332D53F0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332B7288	0_2_00007FF7332B7288
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332C126C	0_2_00007FF7332C126C
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332BA310	0_2_00007FF7332BA310
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332BC2F0	0_2_00007FF7332BC2F0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332CF180	0_2_00007FF7332CF180
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D21D0	0_2_00007FF7332D21D0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332B4840	0_2_00007FF7332B4840
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332EC838	0_2_00007FF7332EC838
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332B76C0	0_2_00007FF7332B76C0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332F2550	0_2_00007FF7332F2550
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332CB534	0_2_00007FF7332CB534
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E8C1C	0_2_00007FF7332E8C1C
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332CBB90	0_2_00007FF7332CBB90
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332C5B60	0_2_00007FF7332C5B60
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D4B98	0_2_00007FF7332D4B98
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332C1A48	0_2_00007FF7332C1A48
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332EFA94	0_2_00007FF7332EFA94
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D2AB0	0_2_00007FF7332D2AB0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332B1AA4	0_2_00007FF7332B1AA4
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332F5AF8	0_2_00007FF7332F5AF8
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332CC96C	0_2_00007FF7332CC96C
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D3964	0_2_00007FF7332D3964
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E89A0	0_2_00007FF7332E89A0
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF73331E058	0_2_00007FF73331E058
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332F2080	0_2_00007FF7332F2080
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332CAF18	0_2_00007FF7332CAF18
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D2D58	0_2_00007FF7332D2D58
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332D8DF4	0_2_00007FF7332D8DF4
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E0754	0_2_00007FF7332E0754

Source: _overlapped.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: random.exe, 00000000.00000003.1916975033.000001EA79020000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs random.exe
Source: random.exe, 00000000.00000003.1916975033.000001EA78DF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs random.exe
Source: random.exe, 00000000.00000003.1916975033.000001EA78AB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_testcapi.pyd. vs random.exe
Source: random.exe, 00000000.00000003.1916975033.000001EA78AB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs random.exe
Source: random.exe, 00000000.00000003.1916975033.000001EA78C13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametk86.dllP vs random.exe
Source: random.exe, 00000000.00000003.1916975033.000001EA78BC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs random.exe

Source: classification engine

Classification label: mal96.troj.spyw.winEXE@6/1034@5/5

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332BB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7332BB6D8

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332D8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF7332D8624

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3748:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: random.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\random.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: random.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\random.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: python311.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: pywintypes311.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: tcl86t.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: tk86t.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: random.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: random.exe

Static file information: File size 24997182 > 1048576

Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: random.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: random.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: random.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: random.exe, 00000000.00000003.1916975033.000001EA78BC8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Initial commands are read from .pdbrc files in your home directory source: Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2625472228.000001432F17D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626564670.000001432F17D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624188266.000001432F179000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623619766.000001432F151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: random.exe, 00000000.00000003.1916975033.000001EA78AB9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: random.exe, 00000000.00000003.1916975033.000001EA78AB9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: placed in the .pdbrc file): source: Devis.exe, 00000009.00000003.2624030379.000001432F02A000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F001000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627484980.000001432F042000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627929496.000001432F04A000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302391789.000001432FE42000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450468561.000001432FE42000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2628562651.000001432FE49000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2628892323.000001432FD01000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2610412137.000001432FE42000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137079576.000001432FE42000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: random.exe
Source:	Binary string: -c are executed after commands from .pdbrc files. source: Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2625472228.000001432F17D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626564670.000001432F17D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624188266.000001432F179000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623619766.000001432F151000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: The standard debugger class (pdb.Pdb) is an example. source: Devis.exe, 00000009.00000003.2620434871.000001432F210000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626642236.000001432F25F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622996868.000001432E898000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626364849.000001432E8F8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626052503.000001432F238000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2625472228.000001432F210000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623747270.000001432F210000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: If a file ".pdbrc" exists in your home directory or in the current source: Devis.exe, 00000009.00000003.2628892323.000001432FD1B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627087985.000001432FD19000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2628892323.000001432FD01000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: random.exe, 00000000.00000003.1916975033.000001EA78E68000.00000004.00000020.00020000.00000000.sdmp

Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: random.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5513453

Jump to behavior

Source: random.exe	Static PE information: section name: .didat
Source: random.exe	Static PE information: section name: _RDATA
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: vcruntime140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332F5156 push rsi; retf		0_2_00007FF7332F5157
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332F5166 push rsi; retf		0_2_00007FF7332F5167

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\random.exe

Process created: "C:\Users\user\Desktop\random.exe"

Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32service.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\zstandard\_cffi.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\winxpgui.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32inet.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32gui.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui-32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\_winxptheme.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32pdh.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\zstandard\backend_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui-64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\markupsafe\_speedups.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32console.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui-arm64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32ras.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32cred.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32pipe.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32api.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\timer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\perfmon.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32profile.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32process.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32file.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32ts.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32security.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\servicemanager.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32clipboard.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\_win32sysloader.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32job.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32trace.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\perfmondata.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32event.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\odbc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32net.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32evtlog.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32api.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32wnet.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\pythonservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32crypt.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32transaction.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32com\shell\shell.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32lz.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32crypt.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\mmapfile.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32print.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32help.cp311-win_amd64.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\random.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32service.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\zstandard\_cffi.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\winxpgui.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32inet.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32gui.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui-32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\_winxptheme.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32pdh.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\zstandard\backend_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui-64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\markupsafe\_speedups.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32console.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui-arm64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32ras.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32cred.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32pipe.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32api.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\timer.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\perfmon.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32process.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32profile.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32file.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32ts.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32security.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\servicemanager.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\_win32sysloader.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32clipboard.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32trace.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32job.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\perfmondata.dll	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32event.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\odbc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32net.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32evtlog.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32api.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32wnet.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\setuptools\gui.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\pythonservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32crypt.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32transaction.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32com\shell\shell.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32lz.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32crypt.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\mmapfile.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32print.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\random.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\win32\win32help.cp311-win_amd64.pyd	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332DB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7332DB190
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332C40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7332C40BC
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332EFCA0 FindFirstFileExA,	0_2_00007FF7332EFCA0

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332E16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF7332E16A4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\lib\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332E3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7332E3170

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332F0D20 GetProcessHeap,

0_2_00007FF7332F0D20

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7332E2510
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E3354 SetUnhandledExceptionFilter,	0_2_00007FF7332E3354
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7332E3170
Source: C:\Users\user\Desktop\random.exe	Code function: 0_2_00007FF7332E76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7332E76D8

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332DB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7332DB190

Source: C:\Users\user\Desktop\random.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332F58E0 cpuid

0_2_00007FF7332F58E0

Source: C:\Users\user\Desktop\random.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF7332DA2CC

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332E0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,SleepEx,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7332E0754

Source: C:\Users\user\Desktop\random.exe

Code function: 0_2_00007FF7332C51A4 GetVersionExW,

0_2_00007FF7332C51A4

Stealing of Sensitive Information

Yara detected CStealer

Source: Yara match	File source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2136532382.000001432FF48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2142621910.000001432FF58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Devis.exe PID: 8172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Log Report (user).cs, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Devis.exe PID: 8172, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local State	Jump to behavior

Source: Yara match	File source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Devis.exe PID: 8172, type: MEMORYSTR

Remote Access Functionality

Yara detected CStealer

Source: Yara match	File source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2136532382.000001432FF48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2142621910.000001432FF58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Devis.exe PID: 8172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Log Report (user).cs, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Devis.exe PID: 8172, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Process Injection	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Obfuscated Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Software Packing	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
random.exe	13%	ReversingLabs	Win32.Ransomware.TelegramRAT

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerBase.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerCustom.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerGMP.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerNative.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\DH.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\KDF.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\SecretSharing.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\DSA.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\ECC.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\ElGamal.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\RSA.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_openssh.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Random\__init__.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Random\random.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Signature\DSS.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Signature\PKCS1_PSS.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Signature\PKCS1_v1_5.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Signature\eddsa.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Signature\pkcs1_15.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Signature\pss.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\Counter.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\Padding.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\RFC1751.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_file_system.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_raw_api.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\asn1.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\number.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\py3compat.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\strxor.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\__init__.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\AES.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\ARC2.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\ARC4.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\Blowfish.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\CAST.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\ChaCha20.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\ChaCha20_Poly1305.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\DES.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\DES3.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\PKCS1_OAEP.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\PKCS1_v1_5.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\Salsa20.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_EKSBlowfish.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_cbc.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_ccm.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_cfb.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_ctr.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_eax.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_ecb.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_gcm.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_ocb.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_ofb.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_openpgp.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_mode_siv.pyi	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Cryptodome\Cipher\_raw_aes.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://repository.swisssign.com/:	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/P	0%	Avira URL Cloud	safe
http://repository.swisssign.com/H	0%	Avira URL Cloud	safe
http://repository.swisssign.com/K	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/ot	0%	Avira URL Cloud	safe
http://repository.swisssign.com/2	0%	Avira URL Cloud	safe
http://repository.swisssign.com/?	0%	Avira URL Cloud	safe
http://repository.swisssign.com/root	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/ium	0%	Avira URL Cloud	safe
http://repository.swisssign.com/1o	0%	Avira URL Cloud	safe
http://repository.swisssign.com/T	0%	Avira URL Cloud	safe
http://repository.swisssign.com/n$	0%	Avira URL Cloud	safe
http://repository.swisssign.com/N	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/(	0%	Avira URL Cloud	safe
http://repository.swisssign.com/U	0%	Avira URL Cloud	safe
http://repository.swisssign.com/v	0%	Avira URL Cloud	safe
http://repository.swisssign.com/m	0%	Avira URL Cloud	safe
http://repository.swisssign.com/g	0%	Avira URL Cloud	safe
http://ocsp.accv.esD$uz8	0%	Avira URL Cloud	safe
http://repository.swisssign.com/z~py	0%	Avira URL Cloud	safe
http://repository.swisssign.com/_A	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/root	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/s	0%	Avira URL Cloud	safe
http://repository.swisssign.com/FF	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/uK	0%	Avira URL Cloud	safe
http://repository.swisssign.com/WW	0%	Avira URL Cloud	safe
http://ocsp.accv.esm	0%	Avira URL Cloud	safe
http://repository.swisssign.com/4x	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.128.233	true	false	high
api.ipify.org	104.26.12.205	true	false	high
geolocation-db.com	159.89.102.253	true	false	high
api.telegram.org	149.154.167.220	true	false	high
api.gofile.io	51.91.7.6	true	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.securetrust.com/SGCA.crlCA	Devis.exe, 00000009.00000003.2450114284.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/1o	Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2141049739.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2141469632.000001432FFD9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2142848323.000001432FFE0000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137375482.000001432FFC6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf	Devis.exe, 00000009.00000003.2624445249.000001432EAA7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/?	Devis.exe, 00000009.00000003.2138553405.0000014330165000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136757741.0000014330155000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/)	Devis.exe, 00000009.00000003.2607859943.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609806921.0000014330085000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609034388.000001433007D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614109539.0000014330098000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2611778516.0000014330085000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7016091731:AAE5Nyv-uzsZ7PjXljxbSv9-kk6qJEIFAso/sendPhoto?chat_id=-100234	Devis.exe, 00000009.00000003.2139210733.000001432FFFA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl=5	Devis.exe, 00000009.00000003.2620832412.000001432FFBE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2608378609.000001432FFBC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303013852.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606992866.000001432FFB9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044815764.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452290010.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304478351.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2616542977.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614414397.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl)	Devis.exe, 00000009.00000003.2451143287.000001432FFA0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/8Y	Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2141049739.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137375482.000001432FFC6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/botz	Devis.exe, 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crlZ%	Devis.exe, 00000009.00000003.2136757741.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137610343.0000014330199000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/H	Devis.exe, 00000009.00000003.2607859943.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2619822863.0000014330093000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618427225.0000014330092000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609806921.0000014330085000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609034388.000001433007D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2611778516.0000014330085000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/&	Devis.exe, 00000009.00000003.2450114284.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618219298.00000143301A9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2619027925.00000143301AA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617180653.000001433019D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612847350.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301840434.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136757741.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137610343.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2047560369.00000143301A4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl0	Devis.exe, 00000009.00000003.2453546506.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614699387.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2138956644.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2451143287.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137997536.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2608345394.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045559134.000001432FF92000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045947763.000001432FFA0000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303898883.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048737756.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045874759.000001432FF9C000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044888687.000001432FF7E000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2046026783.000001432FFA7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305096783.000001432FFA9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/K	Devis.exe, 00000009.00000003.2606652066.00000143304A5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609268532.00000143304E5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606779633.00000143304CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/root	Devis.exe, 00000009.00000003.2309552168.0000014330459000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453941637.000001432FF73000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2451470841.000001432FF72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crlr	Devis.exe, 00000009.00000003.2304272847.0000014330391000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2306348978.00000143303E4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2309331488.00000143303EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/ot	Devis.exe, 00000009.00000003.2622371766.000001433027F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612847350.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2616387204.000001433026C000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450674024.000001432FFD8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453277718.000001432FFE2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2451865102.000001432FFE1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618737770.000001433027F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301751438.000001432FF59000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2306871945.000001432FF59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.python.org/library/unittest.html	Devis.exe, 00000009.00000003.2627087985.000001432FD19000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/2	Devis.exe, 00000009.00000003.2453743233.0000014330013000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452847430.0000014330008000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl=	Devis.exe, 00000009.00000003.2610817044.000001433010D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2620757118.0000014330110000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/P	Devis.exe, 00000009.00000003.2452016497.0000014330165000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449588736.0000014330132000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450114284.0000014330155000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/J&	Devis.exe, 00000009.00000003.2136757741.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137610343.0000014330199000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/ium	Devis.exe, 00000009.00000003.2305365260.0000014330017000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2308424914.000001433001C000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301635477.0000014330012000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc2388#section-4.4	Devis.exe, 00000009.00000003.2624445249.000001432EAA7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl~	Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301840434.0000014330186000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/:	Devis.exe, 00000009.00000003.2608667837.0000014331B51000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2613170638.0000014331B55000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606732180.0000014331B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Devis.exe, 00000009.00000003.1958256926.000001432CABF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/(	Devis.exe, 00000009.00000003.2611453647.0000014331D18000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2610537160.0000014331D18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/rvicess	Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137502674.000001432FFF7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452847430.0000014330008000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137375482.000001432FFC6000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2139210733.000001432FFFA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/n$	Devis.exe, 00000009.00000003.2309552168.0000014330459000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/g	Devis.exe, 00000009.00000003.2136757741.00000143301F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	Devis.exe, 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/N	Devis.exe, 00000009.00000003.2449588736.00000143301F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crlS	Devis.exe, 00000009.00000003.2302670153.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302827498.000001433010D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302149655.00000143300DE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302490308.00000143300E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	Devis.exe, 00000009.00000003.2624030379.000001432F02A000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F001000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626779525.000001432F10F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627484980.000001432F042000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623951037.000001432F14D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626696001.000001432F108000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624350928.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624695587.000001432F107000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	Devis.exe, 00000009.00000003.1972984264.000001432EA62000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1973354362.000001432EA42000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1972730721.000001432EA7A000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1972837156.000001432EA39000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	Devis.exe, 00000009.00000003.2048632285.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2138956644.000001432FFA3000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2619027925.00000143301F5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617932252.00000143301F2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449588736.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2451253599.000001433010D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044815764.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304272847.0000014330391000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302670153.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609806921.0000014330085000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453941637.000001432FF73000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2047560369.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304972416.000001432FF6B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614619779.000001432FFCF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2308574238.00000143300D5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302827498.000001433010D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136757741.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612847350.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452290010.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2613170638.0000014331B55000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlEK	Devis.exe, 00000009.00000003.2620832412.000001432FFBE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2608378609.000001432FFBC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606992866.000001432FFB9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2616542977.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614414397.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crlf$4~_	Devis.exe, 00000009.00000003.2450114284.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618219298.00000143301A9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2619027925.00000143301AA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617180653.000001433019D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612847350.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301840434.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136757741.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137610343.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2047560369.00000143301A4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	Devis.exe, 00000009.00000003.2140530025.000001433007F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048155586.0000014330014000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2620181432.0000014331D36000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2610276747.0000014331D35000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2138513004.00000143300AD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612775823.00000143304FA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2309144735.0000014331C3F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612965259.00000143300AD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301486691.0000014331BCA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2620645400.0000014330166000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2139818130.000001432FF5B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450428068.00000143300E9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449588736.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2608058843.00000143300A9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449165429.0000014330458000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305404158.000001432FF95000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2046598267.00000143300A9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453108702.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045758034.00000143300A6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlHOH	Devis.exe, 00000009.00000003.2452290010.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/T	Devis.exe, 00000009.00000003.2309552168.0000014330459000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/U	Devis.exe, 00000009.00000003.2309552168.0000014330459000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crlY	Devis.exe, 00000009.00000003.2306076705.0000014330474000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htmA	Devis.exe, 00000009.00000003.2628892323.000001432FD1B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627087985.000001432FD19000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crlce	Devis.exe, 00000009.00000003.2607859943.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609034388.000001433007D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/get	Devis.exe, 00000009.00000003.2622706517.000001432F001000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624445249.000001432EB28000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1982192501.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624350928.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624314376.000001432F01C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlX	Devis.exe, 00000009.00000003.2606652066.00000143304A5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614812734.00000143304ED000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612098132.00000143304E8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609268532.00000143304E5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606779633.00000143304CF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://exiv2.org/tags.html)	Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	Devis.exe, 00000009.00000003.2620832412.000001432FFBE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2608378609.000001432FFBC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303013852.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606992866.000001432FFB9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044815764.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452290010.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304478351.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2616542977.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614414397.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.esD$uz8	Devis.exe, 00000009.00000003.2138513004.00000143300AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://geolocation-db.com/jsonp/z	Devis.exe, 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl3	Devis.exe, 00000009.00000003.2449588736.00000143301F1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2625472228.000001432F17D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626564670.000001432F17D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624188266.000001432F179000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623619766.000001432F151000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/m	Devis.exe, 00000009.00000003.2449588736.00000143301F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/	Devis.exe, 00000009.00000003.2624445249.000001432EAA7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlh	Devis.exe, 00000009.00000003.2302490308.0000014330166000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	Devis.exe, 00000009.00000003.2615441091.000001432FFE2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2308885766.000001433008C000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2451865102.000001432FFE1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606732180.0000014331B41000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301635477.0000014330012000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452016497.0000014330165000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618737770.000001433027F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2307466206.000001433008B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2610851550.0000014330165000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449588736.0000014330132000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044888687.000001432FF7E000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301751438.000001432FF59000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450114284.0000014330155000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045030023.0000014330088000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2046026783.000001432FFA7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2307093685.000001433007F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609431066.0000014330132000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609610495.000001433013D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2306871945.000001432FF59000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crlx	Devis.exe, 00000009.00000003.2453235972.000001432FF5B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449380068.000001432FF59000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	Devis.exe, 00000009.00000003.1969372996.000001432E8DF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1964302940.000001432E900000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1958818741.000001432E8F0000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959294657.000001432E903000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1967824032.000001432EA70000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959778265.000001432EA70000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959941434.000001432E8FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959380406.000001432E8DF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1969952887.000001432E908000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1958139752.000001432E8E9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1969372996.000001432E8FF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Devis.exe, 00000009.00000003.2012016201.000001432FF5D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/v	Devis.exe, 00000009.00000003.2608667837.0000014331B51000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2613170638.0000014331B55000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606732180.0000014331B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/z~py	Devis.exe, 00000009.00000003.2304478351.000001432FFD8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303898883.000001432FFD8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044815764.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305963393.000001432FFF1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305269288.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305220107.000001432FFD9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044963456.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137375482.000001432FFC6000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045725792.000001432FFEF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045409514.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2139466190.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048270802.000001432FFF2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2310425490.000001432FFF2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl?	Devis.exe, 00000009.00000003.2045596129.000001433000F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048155586.0000014330014000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044815764.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045451915.000001432FFFB000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044963456.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045409514.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Devis.exe, 00000009.00000003.2624445249.000001432EB28000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	random.exe, 00000000.00000003.1916975033.000001EA78EC5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlz	Devis.exe, 00000009.00000003.2302670153.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302827498.000001433010D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305582183.0000014330115000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302149655.00000143300DE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302490308.00000143300E9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2307303956.0000014330121000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl:$	Devis.exe, 00000009.00000003.2606652066.00000143304A5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/cservicess	Devis.exe, 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304885348.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crlF%	Devis.exe, 00000009.00000003.2450114284.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618219298.00000143301A9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2619027925.00000143301AA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617180653.000001433019D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612847350.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301840434.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136757741.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137610343.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2047560369.00000143301A4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/_A	Devis.exe, 00000009.00000003.2622181450.00000143301CA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450114284.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618219298.00000143301A9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2619027925.00000143301AA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617180653.000001433019D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612847350.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301840434.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136757741.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137610343.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2047560369.00000143301A4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2621061394.00000143301C3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlu	Devis.exe, 00000009.00000003.2607859943.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618427225.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612028010.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609806921.0000014330068000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/FF	Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2301840434.0000014330186000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crlY-	Devis.exe, 00000009.00000003.2608667837.0000014331B51000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2613170638.0000014331B55000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606732180.0000014331B41000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	Devis.exe, 00000009.00000003.2450114284.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2308639903.0000014331DC4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304733622.000001432FF8C000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302490308.0000014330132000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045664569.000001432FF6B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623673649.00000143302A4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045596129.000001433000F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2310014565.0000014331C44000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617895934.00000143300AE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137770799.0000014330132000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045695644.000001432FF73000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2621262043.0000014330153000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606652066.00000143304A5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452244041.000001433013D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048870354.000001433014F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137770799.0000014330115000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617576158.00000143301CF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2140530025.000001433007F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609431066.0000014330115000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048155586.0000014330014000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2620181432.0000014331D36000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	Devis.exe, 00000009.00000003.2628892323.000001432FD1B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627087985.000001432FD19000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crlrc	Devis.exe, 00000009.00000003.2450986787.00000143300B1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303013852.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304478351.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304885348.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl)	Devis.exe, 00000009.00000003.2607859943.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609806921.0000014330085000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609034388.000001433007D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2614109539.0000014330098000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2611778516.0000014330085000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	Devis.exe, 00000009.00000003.2606652066.00000143304A5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2610603427.00000143304C6000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303013852.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2046598267.00000143300DE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048632285.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2620434871.000001432F210000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449165429.0000014330458000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2615932148.0000014330108000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044815764.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302670153.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626642236.000001432F25F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305012714.0000014330106000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452290010.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304478351.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302149655.00000143300DE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626052503.000001432F238000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609073242.00000143304B8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449588736.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2625472228.000001432F210000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2139574243.00000143300FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302490308.00000143300E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	Devis.exe, 00000009.00000003.2303013852.000001432FFBD000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453029908.000001433041E000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2046598267.00000143300DE000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618008503.000001433020E000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607859943.0000014330068000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2618219298.00000143301A9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453784768.0000014330432000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2141049739.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045559134.000001432FF92000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2615441091.000001433000A000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2619027925.00000143301AA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2612098132.00000143304BF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2613425284.00000143304BF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617932252.00000143301F2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453235972.000001432FF5B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2449588736.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045947763.000001432FFA0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/root	Devis.exe, 00000009.00000003.2140530025.000001433007F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2142288607.0000014330093000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	Devis.exe, 00000009.00000003.2624279983.000001432EC2C000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623277805.000001432EBC3000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627006000.000001432EBD5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623202605.000001432EC2A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module	Devis.exe, 00000009.00000003.2628690434.000001432EB4F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623277805.000001432EB47000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es00	Devis.exe, 00000009.00000003.2450114284.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2308639903.0000014331DC4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2302490308.0000014330132000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045664569.000001432FF6B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623673649.00000143302A4000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045596129.000001433000F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137770799.0000014330132000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045695644.000001432FF73000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2621262043.0000014330153000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452244041.000001433013D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048870354.000001433014F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137770799.0000014330115000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2617576158.00000143301CF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2609431066.0000014330115000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048155586.0000014330014000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303178835.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2451627214.0000014331BFA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2138248242.000001433013D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2615441091.000001433000A000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.00000143301F1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2620757118.0000014330118000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crlL	Devis.exe, 00000009.00000003.2307183710.0000014331BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	Devis.exe, 00000009.00000003.1969372996.000001432E8DF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1964302940.000001432E900000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1958818741.000001432E8F0000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959294657.000001432E903000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1967824032.000001432EA70000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959778265.000001432EA70000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959941434.000001432E8FF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1959380406.000001432E8DF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1969952887.000001432E908000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1958139752.000001432E8E9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.1969372996.000001432E8FF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	Devis.exe, 00000009.00000003.2625472228.000001432F19F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624561684.000001432F19D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2620434871.000001432F210000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626642236.000001432F25F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626324468.000001432F19F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626052503.000001432F238000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624188266.000001432F179000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2625472228.000001432F210000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623747270.000001432F210000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623619766.000001432F151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/s	Devis.exe, 00000009.00000003.2309701313.0000014330090000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2308885766.000001433008C000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2307466206.000001433008B000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2307093685.000001433007F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crlO	Devis.exe, 00000009.00000003.2453743233.0000014330013000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2452847430.0000014330008000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/4x	Devis.exe, 00000009.00000003.2304478351.000001432FFD8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2136584042.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303898883.000001432FFD8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2615441091.000001432FFF2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2453108702.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044815764.000001432FFAC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305963393.000001432FFF1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305269288.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2305220107.000001432FFD9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044963456.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450674024.000001432FFD8000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2137375482.000001432FFC6000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2451865102.000001432FFE1000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045725792.000001432FFEF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2045409514.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606922040.000001432FFF0000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2139466190.000001432FFE5000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2048270802.000001432FFF2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2310425490.000001432FFF2000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	Devis.exe, 00000009.00000003.2624030379.000001432F02A000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623108819.000001432F149000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F001000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626779525.000001432F10F000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2627484980.000001432F042000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2622706517.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2623951037.000001432F14D000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2626696001.000001432F108000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624350928.000001432F0C7000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2624695587.000001432F107000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Devis.exe, 00000009.00000003.2623277805.000001432EB47000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/uK	Devis.exe, 00000009.00000003.2608667837.0000014331B51000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2613170638.0000014331B55000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2606732180.0000014331B41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	Devis.exe, 00000009.00000003.2622996868.000001432E898000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	Devis.exe, 00000009.00000003.2136990618.00000143300E9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2607098045.0000014330186000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2309331488.00000143303EA000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2044683649.000001432FF48000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2450763310.0000014330199000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2304885348.000001432FFCC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/WW	Devis.exe, 00000009.00000003.2613612559.0000014331CD9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2625306301.0000014331CD9000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2608999252.0000014331CCF000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2611826608.0000014331CD9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.../back.jpeg	Devis.exe, 00000009.00000003.1978992313.000001432EFD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.esm	Devis.exe, 00000009.00000003.2305404158.000001432FF95000.00000004.00000020.00020000.00000000.sdmp, Devis.exe, 00000009.00000003.2303667346.000001432FF94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
51.91.7.6	api.gofile.io	France	16276	OVHFR	false
162.159.128.233	discord.com	United States	13335	CLOUDFLARENETUS	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585585
Start date and time:	2025-01-07 21:44:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe
Detection:	MAL
Classification:	mal96.troj.spyw.winEXE@6/1034@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 71 Number of non-executed functions: 95
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, Microsoft.Photos.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 23.56.254.164, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Reached maximum number of file to list during submission archive extraction
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: random.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Resource.exe	Get hash	malicious	Blank Grabber	Browse
	user.exe	Get hash	malicious	Unknown	Browse
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
104.26.12.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	api.ipify.org/
	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	http://sammobile.digidip.net/visit?url=https://massageclinic.com.au/wadblacks2&currurl=https://www.sammobile.com/2018/06/06/june-2018-security-patch-information-published-by-samsung/	Get hash	malicious	Gabagool	Browse	104.26.13.205
	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.com	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.com	Get hash	malicious	Unknown	Browse	104.26.13.205
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
discord.com	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	162.159.135.232
	P3A946MOFP.exe	Get hash	malicious	XWorm	Browse	162.159.128.233
	paint.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	hkMUtKbCqV.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	X9g8L63QGs.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	KpHYfxnJs6.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	AimStar.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
geolocation-db.com	http://www.klim.com	Get hash	malicious	Unknown	Browse	159.89.102.253
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	159.89.102.253
	chos.exe	Get hash	malicious	Unknown	Browse	159.89.102.253
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse	159.89.102.253
	file.exe	Get hash	malicious	CStealer	Browse	159.89.102.253
	GE AEROSPACE _WIRE REMITTANCE.xlsx	Get hash	malicious	Unknown	Browse	159.89.102.253
	Creal.exe	Get hash	malicious	Creal Stealer	Browse	159.89.102.253
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	159.89.102.253
	https://mlbmajorlossbuilders.hbportal.co/flow/66fdd3a6c031cc001f728831/view?hash=54079a777636a614d8d961b5b9a96a5f	Get hash	malicious	Unknown	Browse	159.89.102.253

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	149.154.167.220
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://t.me/hhackplus	Get hash	malicious	Unknown	Browse	149.154.167.99
	Resource.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	user.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	UpdaterTool.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	audio.mp3_JasonhTranscript.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	162.159.135.232
	QoRXFaE8Xn.exe	Get hash	malicious	DCRat	Browse	188.114.96.3
	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://us01-i-prod-estimating-storage.s3.amazonaws.com/598134325679181/562949954787293/Documents/1706942/Hoosier%20Crane%20Service%20Company.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://link.edgepilot.com/s/692fcd16/rcPy0yXyykq_mRLKroUvRQ?u=https://petroleumalliance.us8.list-manage.com/track/click?u=325f73d29a0b4f85a46b700a9%26id=dfe369da82%26e=94c2db4428	Get hash	malicious	Unknown	Browse	104.17.223.152
	http://xyft.zmdusdxj.ru	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://bRH5.bughtswo.com/tgs0/#bW1vb3JlQGVuYWJsZWNvbXAuY29t	Get hash	malicious	Unknown	Browse	104.17.25.14
OVHFR	https://universidad-unidem.edu.mx/mah/i/amFjb2JAc3RlaW5ib3JuLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	91.134.9.160
	pkt1.exe	Get hash	malicious	Unknown	Browse	151.80.239.86
	http://23.27.51.244/dr0p.exe	Get hash	malicious	Unknown	Browse	151.80.239.86
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	54.38.113.3
	https://147y3.trk.elasticemail.com/tracking/click?d=l6DX1ZxoYxoIu3Ps_nHCw2dpTGYsp50KhPgdcLAPZ98lDQqXluI2jbk2Kz6cWaRjWchw5Igbhe-BSjXhcIk5khB6_31XWJ3KxF070e3rxxM9hJmShBhAM7tP0jesqnjYkgFpEuivEIV6QQKt0-F18YQ1#out/0023m/435/85jy1/26p0/41/77	Get hash	malicious	Unknown	Browse	164.132.95.126
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	37.59.22.41
	1.exe	Get hash	malicious	Unknown	Browse	151.80.152.246
	1.exe	Get hash	malicious	Unknown	Browse	151.80.152.246
	sh4.elf	Get hash	malicious	Mirai	Browse	51.70.11.3
	https://u43161309.ct.sendgrid.net/ls/click?upn=u001.L9-2FCbhkaoUACh7As3yZ8i4iABGphfl-2FJgS6Xiu1aw6I-3DgXpA_qO4VbBWAKg4gLfGs-2BfuSyZki3gKzG4I1DrYN15Q8fD7JV1twLeLo1AFs1GBSG3ZgA22dFJdXJloKc56aXDeV3olJKTBJd8NprednZ2LeXdX-2BkcSQE-2F2FRwgBng5RbUCLfjS8-2FI3mrpwyYu9lRatIB62qUwPSax-2Fhh2c7R-2B7pT3Kos0wK0SEJGj4ZMkgOGYhEniKYT7Kn7jN25xFz2sFdtPlVQkIdCFKwDNWmq-2BrAxerZE2GuKgfkuf3l1UY4J42sOOltybAAVyLhV-2BXfmbuQpN4NpshXRIuhta8ho3ChcTA5NtgjludQThyLtwhGns-2ByLqSbpO1Bhhc-2FCgdgP-2BAOxYrGHvKHjVYRr6-2BiryADxfM-3D	Get hash	malicious	HTMLPhisher	Browse	46.105.222.162

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerBase.pyi	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse
	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse
	2zirzlMVqX.bat	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	https://t.ly/-kxCO	Get hash	malicious	Braodo	Browse
	https://t.ly/SjDNX	Get hash	malicious	Python Stealer, Braodo	Browse
	https://t.ly/D5x5U	Get hash	malicious	Braodo	Browse
	https://firebasestorage.googleapis.com/v0/b/lecongtai-bb82b.appspot.com/o/16-10%2FCompilation%20of%20copyright-protected%20videos%20and%20images.zip?alt=media&token=c97d235f-3349-47aa-b756-15ecdbdf39b1	Get hash	malicious	Python Stealer, Braodo	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerCustom.pyi	main1.bat	Get hash	malicious	Abobus Obfuscator	Browse
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse
	run.cmd	Get hash	malicious	Unknown	Browse
	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse
	vUlh7stUHJ.exe	Get hash	malicious	XWorm	Browse
	2zirzlMVqX.bat	Get hash	malicious	Xmrig	Browse
	Real Estate Project Information - Catalogue - Price List 0412PH (Area - Design - Finance).bat	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: discord.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: geolocation-db.com
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: Log (user).zip.9.dr	Zip Entry: encrypted
Source: Log (user).zip.9.dr	Zip Entry: encrypted
Source: Log (user).zip.9.dr	Zip Entry: encrypted

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe
File Type:	ASCII text, with very long lines (522), with CRLF line terminators
Category:	dropped
Size (bytes):	3355
Entropy (8bit):	5.859711514959835
Encrypted:	false
SSDEEP:	96:jJMsoO2gicRq6Zi2L+ySstv3pP+YRBynqsCHw4R2cksQ:NiCRtpKQdA
MD5:	E7FE9C45ABECAFAD2E0254DC692B506D
SHA1:	74028143ACD8925C5A5702C457018B99FBBCC939
SHA-256:	015E4099C0D99A9AC9A9FBF362D26D4F049BA5EAA24D19EFA48E674DD28DD658
SHA-512:	B8875F3039E84088C1A758D75DF84862A3EF08462D044EB752E72F25AF109E1074292183449C3024B58E2745F61BC3138CBEBFB33984DD7164916F2577A7A826
Malicious:	false
Reputation:	low
Preview:	.google.com.TRUE./.FALSE.13356618603686193.NID.511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KFwQcRJL-qGz8MvkkzMZmElvXAFWLO-TPZ9PMqBYA78ZAuaepnXIRHe-TAolVoW6Z7dQnqpgyX0m-TmS72bebAgoqZv5GkpRFUcZIw1Kk..support.microsoft.com.TRUE./.FALSE.13340887435186329..AspNetCore.AuthProvider.True..support.microsoft.com.TRUE./signin-oidc.FALSE.13340887735359381..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.N..support.microsoft.com.TRUE./signin-oidc.FALSE.13340887735359334..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkHB6alahUr8qJ7G_3AejtooymTWCzyO89hshJeX8Gh78kohbIw0IQY4v6LZriT4P2fGeBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VSMOfm-L0RnS8.N..support.office.com.TRUE./.FALSE.13372509232238068.EXPID.8e067c40-5461-4aef-885f-2c92ce6a5474...microsoft.com.TRUE./.FALSE.13372422837017624.MC1.GUID=749eee6039c5489b9db3000c7

Process:	C:\Users\user\Desktop\random.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	3810
Entropy (8bit):	4.6872218402303165
Encrypted:	false
SSDEEP:	24:1REjiTAaR+gZ2KDRSjmnV69RuezESHcAFPS+ep0npIk/6I3ZuieIeKvJK5fCKsLm:giTnXDojmW8ABwi+M30W85fzsLm
MD5:	00C57D206A1CD7FC853656AF026AEC7E
SHA1:	0C3FDC977E7AE71D989B208A61DB93C66601177E
SHA-256:	C8A26AFF672F06B9C4D80286E0EF8DDE8B2B41FF4C317AB75ACA0FD0D01C751E
SHA-512:	74ECC9628812D52785545D3C5304AD5735C8D6C484C389B46F5D61AFCB339F136931C9A7A7759A6656028277B16ED6C21475F2E741B466516A9CA95BA5F61773
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: vUlh7stUHJ.exe, Detection: malicious, Browse Filename: vUlh7stUHJ.exe, Detection: malicious, Browse Filename: 2zirzlMVqX.bat, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	from typing import Optional, Union, Callable....RandFunc = Callable[[int],int]....class IntegerBase:.... def __init__(self, value: Union[IntegerBase, int]): ....... def __int__(self) -> int: ..... def __str__(self) -> str: ..... def __repr__(self) -> str: ..... def to_bytes(self, block_size: Optional[int]=0, byteorder: str= ...) -> bytes: ..... @staticmethod.. def from_bytes(byte_string: bytes, byteorder: Optional[str] = ...) -> IntegerBase: ..... def __eq__(self, term: object) -> bool: ..... def __ne__(self, term: object) -> bool: ..... def __lt__(self, term: Union[IntegerBase, int]) -> bool: ..... def __le__(self, term: Union[IntegerBase, int]) -> bool: ..... def __gt__(self, term: Union[IntegerBase, int]) -> bool: ..... def __ge__(self, term: Union[IntegerBase, int]) -> bool: ..... def __nonzero__(self) -> bool: ..... def is_negative(self) -> bool: ..... def __add__(self, term: Union[IntegerBase, int]) -> IntegerBase: ..... def __su

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.992307862787898
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	random.exe
File size:	24'997'182 bytes
MD5:	9d60674507ea97985c7e3b08d610f8d7
SHA1:	1fccf49236815c14c5ae08adb8d1b23846051b2d
SHA256:	711cd08835add9feecdd4afcfb8df8370fe98c22969fa2cb0cc010a8c8e25d12
SHA512:	b841cd0c37171b666b8f03908b6643583d97625321f2017caebfb6c3f9b59ecb8f545586170d2467fe05c378e5411f1108cb3b4b53402661506fdd2f0f040df6
SSDEEP:	393216:hQvPJ/582VKol2VAkyoHf0O51u8MR5thr3woxkPnB/1isAlzKO4yFmE4RTdj0gNR:kPJmkpkAkhMKBorx3Lz/n4RTdIgEmSEr
TLSH:	25473306B15F22A4FCF23A785A63CA25E127FC2D387DDA4D0BA831A61F771C1C529764
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x338f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa4000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x338f4	0x33a00	0426bd5b3b3bc6c50381f029cdf015bd	False	0.18911735774818403	data	3.215581596222169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa4000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x70554	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x7109c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x72648	0x2ec28	Device independent bitmap graphic, 181 x 512 x 32, image size 185344, resolution 5905 x 5905 px/m			0.1412534981830333
RT_DIALOG	0xa1270	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0xa14f8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0xa1634	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0xa1720	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0xa1850	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0xa1b88	0x252	data	English	United States	0.5757575757575758
RT_STRING	0xa1ddc	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0xa1fc0	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0xa218c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0xa2344	0x146	data	English	United States	0.5153374233128835
RT_STRING	0xa248c	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0xa28f8	0x166	data	English	United States	0.49162011173184356
RT_STRING	0xa2a60	0x152	data	English	United States	0.5059171597633136
RT_STRING	0xa2bb4	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0xa2cc0	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0xa2d7c	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0xa2f3c	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0xa318c	0x14	data			1.2
RT_MANIFEST	0xa31a0	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 21:45:35.748279095 CET	56812	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:45:35.755995989 CET	53	56812	1.1.1.1	192.168.2.4
Jan 7, 2025 21:45:36.941576958 CET	57098	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:45:36.948576927 CET	53	57098	1.1.1.1	192.168.2.4
Jan 7, 2025 21:45:37.919439077 CET	60730	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:45:37.926733971 CET	53	60730	1.1.1.1	192.168.2.4
Jan 7, 2025 21:45:39.338268995 CET	60298	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:45:39.345885992 CET	53	60298	1.1.1.1	192.168.2.4
Jan 7, 2025 21:45:40.019010067 CET	55943	53	192.168.2.4	1.1.1.1
Jan 7, 2025 21:45:40.028147936 CET	53	55943	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	15:45:01
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0x7ff7332b0000
File size:	24'997'182 bytes
MD5 hash:	9D60674507EA97985C7E3B08D610F8D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	15:45:28
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\Devis.exe"
Imagebase:	0x7ff7a4f20000
File size:	71'680 bytes
MD5 hash:	DF512D4AF07ADDF48EB621469C68A001
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.1957030601.000001432E88B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.1956753714.000001432E884000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2136532382.000001432FF48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2142621910.000001432FF58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.1957458755.000001432E87B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.1956500494.000001432E8EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	15:45:32
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff748c20000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Browsers Data\Chromium\Google Chrome\Browser Cookies (Default).cs

C:\Users\user\AppData\Local\Temp\Log (user).zip

C:\Users\user\AppData\Local\Temp\Log Report (user).cs

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerBase.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerCustom.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerGMP.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_IntegerNative.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Math\_modexp.pyd

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\DH.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\KDF.pyc

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\KDF.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\SecretSharing.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\__init__.pyc

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\__init__.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\_scrypt.pyd

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\PublicKey\DSA.pyi

Windows Analysis Report
random.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\init.pyc

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Protocol\init.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Random\init.pyc

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Random\init.pyi

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\Util\init.pyc

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\init.pyc

C:\Users\user\AppData\Local\Temp\RarSFX0\lib\Crypto\init.pyi

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre