Windows Analysis Report
main.exe

Overview

General Information

Sample name: main.exe
Analysis ID: 1544130
MD5: 0365c26cf424fc16eb09ac463ebc5b40
SHA1: 3368585d33818bc4fb4599f9a91c9fdcc0903554
SHA256: 2c818ce90a45ce6ae4a445a996713781507881fb3c5826f2a601d16d79f24b38
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found pyInstaller with non standard icon
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Source: main.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: classification engine Classification label: mal48.evad.winEXE@11/64@0/9
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762
Source: main.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\main.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\main.exe File read: C:\Users\user\Desktop\main.exe
Source: unknown Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
Source: C:\Users\user\Desktop\main.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\main.exe Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
Source: C:\Users\user\Desktop\main.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-WmiObject -Class Win32_VideoController).VideoModeDescription;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\main.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-WmiObject -Class Win32_VideoController).VideoModeDescription;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\main.exe Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
Source: C:\Users\user\Desktop\main.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-WmiObject -Class Win32_VideoController).VideoModeDescription;"
Source: C:\Users\user\Desktop\main.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-WmiObject -Class Win32_VideoController).VideoModeDescription;"
Source: C:\Users\user\Desktop\main.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: libffi-7.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: pdh.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: libssl-1_1.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\main.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: main.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: main.exe Static file information: File size 7518347 > 1048576
Source: main.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: main.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: main.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: main.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: main.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: main.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: main.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: main.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: main.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: main.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: main.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: main.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: main.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\main.exe Process created: "C:\Users\user\Desktop\main.exe"
Drops PE files
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-louserzation-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\python3.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer\md__mypyc.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe File created: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer\md.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 885
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6870
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1817
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4144
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-louserzation-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\python3.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer\md__mypyc.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\Desktop\main.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer\md.cp310-win_amd64.pyd Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3932 Thread sleep count: 885 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3932 Thread sleep count: 6870 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7092 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1660 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5968 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588 Thread sleep count: 1817 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588 Thread sleep count: 4144 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6860 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6860 Thread sleep time: -3689348814741908s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\main.exe Process information queried: ProcessInformation
Enables debug privileges
Source: C:\Users\user\Desktop\main.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\main.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\main.exe Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
Source: C:\Users\user\Desktop\main.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-WmiObject -Class Win32_VideoController).VideoModeDescription;"
Source: C:\Users\user\Desktop\main.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(Get-WmiObject -Class Win32_VideoController).VideoModeDescription;"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\certifi VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\ucrtbase.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-console-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-debug-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l1-2-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-file-l2-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-heap-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-libraryloader-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-louserzation-l1-2-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-namedpipe-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processenvironment-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-processthreads-l1-1-1.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-timezone-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-core-util-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-math-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\api-ms-win-crt-process-l1-1-0.dll VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_ssl.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\psutil VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\psutil VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_socket.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\select.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_bz2.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_lzma.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\psutil VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\psutil VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\psutil\_psutil_windows.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_ssl.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_hashlib.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\_queue.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer\md.cp310-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\charset_normalizer\md__mypyc.cp310-win_amd64.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\unicodedata.pyd VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\certifi VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\certifi VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762 VolumeInformation
Source: C:\Users\user\Desktop\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64762\certifi\cacert.pem VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\main.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
184.28.90.27
 unknown United States
16625 AKAMAI-ASUS false

Private

IP
127.0.0.1