Windows Analysis Report
X4KSeQkYJT.exe

Overview

General Information

Sample name: X4KSeQkYJT.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: CBCE5EE823038720ED796118CC5A10FB04979B31F107C6161D8CC0E6B1D23923
Analysis ID: 1546645
MD5: e7860ba329460f1e4bf4044ca8beff56
SHA1: a5ce48ec7e14555a87d752ec45e84947dfa61f60
SHA256: cbce5ee823038720ed796118cc5a10fb04979b31f107c6161d8cc0e6b1d23923
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found pyInstaller with non standard icon
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: X4KSeQkYJT.exe Joe Sandbox ML: detected
Source: X4KSeQkYJT.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_ssl.pdb source: _ssl.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.2.dr
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1909065544.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1931409696.00007FFE1A511000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.2.dr
Source: Binary string: C:\A\39\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1931039791.00007FFE13338000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_ctypes.pdb source: X4KSeQkYJT.exe, 00000004.00000002.1931238448.00007FFE1A470000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_multiprocessing.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_asyncio.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.2.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb?? source: libssl-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_queue.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_overlapped.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\python310.pdb source: X4KSeQkYJT.exe, 00000004.00000002.1929421985.00007FFDFB78E000.00000002.00000001.01000000.00000004.sdmp, python310.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\select.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1931136045.00007FFE1A453000.00000002.00000001.01000000.00000009.sdmp, select.pyd.2.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb source: libssl-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.2.dr
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3C064 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 2_2_00007FF7A6A3C064
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3C064 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 4_2_00007FF7A6A3C064
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF7A6A31D8C
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 20.189.173.22:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 20.189.173.22:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.4:49743
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE13335A58 memset,recvfrom, 4_2_00007FFE13335A58
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.2.dr, libffi-7.dll.2.dr, libssl-1_1.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, pyexpat.pyd.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, pyexpat.pyd.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digi
Source: X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAss
Source: X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssj
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.2.dr, libffi-7.dll.2.dr, libssl-1_1.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, pyexpat.pyd.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, pyexpat.pyd.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.2.dr, libffi-7.dll.2.dr, libssl-1_1.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl0
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl0p
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digip
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, pyexpat.pyd.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.2.dr, libffi-7.dll.2.dr, libssl-1_1.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: X4KSeQkYJT.exe, 00000004.00000003.1919582785.000001FB0FD5C000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1925429247.000001FB0FD66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://json.org
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, pyexpat.pyd.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, pyexpat.pyd.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.2.dr, libffi-7.dll.2.dr, libssl-1_1.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1914325656.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: X4KSeQkYJT.exe, 00000004.00000003.1917762291.000001FB0DA2F000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1923905663.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917875532.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1920093747.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917762291.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917509855.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1921151473.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917614657.000001FB0DA2F000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917492076.000001FB0DA38000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1918762896.000001FB0DA0C000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917368106.000001FB0D9CE000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917368106.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917614657.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: X4KSeQkYJT.exe, 00000004.00000003.1917509855.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1924050899.000001FB0DAE8000.00000004.00001000.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917368106.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: X4KSeQkYJT.exe, 00000004.00000002.1923905663.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/imp
Source: X4KSeQkYJT.exe, 00000004.00000003.1919081378.000001FB0DA34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: X4KSeQkYJT.exe, 00000004.00000003.1917762291.000001FB0DA2F000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1918963161.000001FB0DA2A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1923905663.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917875532.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1920093747.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917762291.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917509855.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1921151473.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917614657.000001FB0DA2F000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917492076.000001FB0DA38000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1918762896.000001FB0DA0C000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917368106.000001FB0D9CE000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917368106.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917614657.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1919081378.000001FB0DA34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: X4KSeQkYJT.exe, 00000004.00000003.1917762291.000001FB0DA2F000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917614657.000001FB0DA2F000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1918762896.000001FB0DA0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/cor
Source: X4KSeQkYJT.exe, 00000004.00000002.1923905663.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917875532.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1920093747.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917762291.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917509855.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1921151473.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917492076.000001FB0DA38000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917368106.000001FB0D9CE000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917368106.000001FB0DA32000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000003.1917614657.000001FB0DA08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: X4KSeQkYJT.exe, 00000004.00000002.1929421985.00007FFDFB78E000.00000002.00000001.01000000.00000004.sdmp, python310.dll.2.dr String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B085000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1912326203.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913338352.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B087000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.2.dr, libssl-1_1.dll.2.dr String found in binary or memory: https://www.openssl.org/H
Source: X4KSeQkYJT.exe, 00000002.00000003.1915926915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1925073716.000001FB0FC14000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.2.dr String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: X4KSeQkYJT.exe, 00000004.00000002.1924050899.000001FB0DA60000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.2.dr String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Detected potential crypto function
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A40000 2_2_00007FF7A6A40000
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A25510 2_2_00007FF7A6A25510
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3B134 2_2_00007FF7A6A3B134
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A31D8C 2_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A40294 2_2_00007FF7A6A40294
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A32BC0 2_2_00007FF7A6A32BC0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A28BC0 2_2_00007FF7A6A28BC0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A43C08 2_2_00007FF7A6A43C08
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A27738 2_2_00007FF7A6A27738
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3FF1C 2_2_00007FF7A6A3FF1C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A294C0 2_2_00007FF7A6A294C0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A388A8 2_2_00007FF7A6A388A8
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3E0B0 2_2_00007FF7A6A3E0B0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3E4DC 2_2_00007FF7A6A3E4DC
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3B134 2_2_00007FF7A6A3B134
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2742C 2_2_00007FF7A6A2742C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2E05C 2_2_00007FF7A6A2E05C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3C064 2_2_00007FF7A6A3C064
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A40A08 2_2_00007FF7A6A40A08
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2E548 2_2_00007FF7A6A2E548
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A26D6D 2_2_00007FF7A6A26D6D
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A31D8C 2_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A392B4 2_2_00007FF7A6A392B4
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A26F04 2_2_00007FF7A6A26F04
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A306E0 2_2_00007FF7A6A306E0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2E2E0 2_2_00007FF7A6A2E2E0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A36E94 2_2_00007FF7A6A36E94
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A34660 2_2_00007FF7A6A34660
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A2E05C 4_2_00007FF7A6A2E05C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A26D6D 4_2_00007FF7A6A26D6D
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A32BC0 4_2_00007FF7A6A32BC0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A28BC0 4_2_00007FF7A6A28BC0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A43C08 4_2_00007FF7A6A43C08
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A40000 4_2_00007FF7A6A40000
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A27738 4_2_00007FF7A6A27738
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3FF1C 4_2_00007FF7A6A3FF1C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A294C0 4_2_00007FF7A6A294C0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A388A8 4_2_00007FF7A6A388A8
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3E0B0 4_2_00007FF7A6A3E0B0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A25510 4_2_00007FF7A6A25510
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3E4DC 4_2_00007FF7A6A3E4DC
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3B134 4_2_00007FF7A6A3B134
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A2742C 4_2_00007FF7A6A2742C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3C064 4_2_00007FF7A6A3C064
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A40A08 4_2_00007FF7A6A40A08
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A2E548 4_2_00007FF7A6A2E548
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3B134 4_2_00007FF7A6A3B134
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A31D8C 4_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A31D8C 4_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A392B4 4_2_00007FF7A6A392B4
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A26F04 4_2_00007FF7A6A26F04
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A306E0 4_2_00007FF7A6A306E0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A2E2E0 4_2_00007FF7A6A2E2E0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A40294 4_2_00007FF7A6A40294
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A36E94 4_2_00007FF7A6A36E94
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A34660 4_2_00007FF7A6A34660
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE13331000 4_2_00007FFE13331000
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A463000 4_2_00007FFE1A463000
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F1A80 4_2_00007FFE1A4F1A80
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F37B0 4_2_00007FFE1A4F37B0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F3140 4_2_00007FFE1A4F3140
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F2630 4_2_00007FFE1A4F2630
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F2D30 4_2_00007FFE1A4F2D30
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F3CF0 4_2_00007FFE1A4F3CF0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F1A80 4_2_00007FFE1A4F1A80
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A507508 4_2_00007FFE1A507508
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: String function: 00007FF7A6A21CA0 appears 38 times
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: String function: 00007FF7A6A21C40 appears 86 times
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1913723365.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepyexpat.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_asyncio.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1910849592.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1910549788.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_queue.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_overlapped.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1911941665.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_ssl.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1909065544.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_multiprocessing.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1913475260.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibsslH vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe Binary or memory string: OriginalFilename vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000004.00000002.1930980448.00007FFDFB8A7000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamepython310.dll. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000004.00000002.1931079495.00007FFE13342000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000004.00000002.1931176809.00007FFE1A456000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000004.00000002.1931280068.00007FFE1A47B000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilename_ctypes.pyd. vs X4KSeQkYJT.exe
Source: X4KSeQkYJT.exe, 00000004.00000002.1931443216.00007FFE1A517000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs X4KSeQkYJT.exe
Source: classification engine Classification label: mal48.winEXE@4/21@0/0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A26240 GetLastError,FormatMessageW,WideCharToMultiByte, 2_2_00007FF7A6A26240
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522 Jump to behavior
Source: X4KSeQkYJT.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File read: C:\Users\user\Desktop\X4KSeQkYJT.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\X4KSeQkYJT.exe "C:\Users\user\Desktop\X4KSeQkYJT.exe"
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Process created: C:\Users\user\Desktop\X4KSeQkYJT.exe "C:\Users\user\Desktop\X4KSeQkYJT.exe"
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Process created: C:\Users\user\Desktop\X4KSeQkYJT.exe "C:\Users\user\Desktop\X4KSeQkYJT.exe" Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: python3.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File opened: C:\Users\user\Desktop\pyvenv.cfg Jump to behavior
Source: X4KSeQkYJT.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: X4KSeQkYJT.exe Static file information: File size 6950934 > 1048576
Source: X4KSeQkYJT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: X4KSeQkYJT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: X4KSeQkYJT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: X4KSeQkYJT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: X4KSeQkYJT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: X4KSeQkYJT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: X4KSeQkYJT.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: X4KSeQkYJT.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_ssl.pdb source: _ssl.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1915539131.000001931B081000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.2.dr
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1909065544.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1931409696.00007FFE1A511000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.2.dr
Source: Binary string: C:\A\39\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911801272.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1931039791.00007FFE13338000.00000002.00000001.01000000.00000008.sdmp, _socket.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_ctypes.pdb source: X4KSeQkYJT.exe, 00000004.00000002.1931238448.00007FFE1A470000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_multiprocessing.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911346411.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _multiprocessing.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: X4KSeQkYJT.exe, 00000002.00000003.1911217250.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_asyncio.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1909979261.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.2.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb?? source: libssl-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_queue.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911659026.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _queue.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_overlapped.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911542908.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _overlapped.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1911050075.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\python310.pdb source: X4KSeQkYJT.exe, 00000004.00000002.1929421985.00007FFDFB78E000.00000002.00000001.01000000.00000004.sdmp, python310.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\select.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1915346915.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, X4KSeQkYJT.exe, 00000004.00000002.1931136045.00007FFE1A453000.00000002.00000001.01000000.00000009.sdmp, select.pyd.2.dr
Source: Binary string: C:\A\39\b\libssl-1_1.pdb source: libssl-1_1.dll.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.2.dr
Source: Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: X4KSeQkYJT.exe, 00000002.00000003.1910116733.000001931B07A000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.2.dr
Source: X4KSeQkYJT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: X4KSeQkYJT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: X4KSeQkYJT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: X4KSeQkYJT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: X4KSeQkYJT.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: X4KSeQkYJT.exe Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.2.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.2.dr Static PE information: section name: .00cfg
Source: python310.dll.2.dr Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.2.dr Static PE information: section name: _RDATA

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Process created: "C:\Users\user\Desktop\X4KSeQkYJT.exe"
Drops PE files
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe File created: C:\Users\user\AppData\Local\Temp\_MEI73522\_ctypes.pyd Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A24430 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00007FF7A6A24430
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_queue.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73522\_ctypes.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe API coverage: 1.6 %
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3C064 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 2_2_00007FF7A6A3C064
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 2_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3C064 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 4_2_00007FF7A6A3C064
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A31D8C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 4_2_00007FF7A6A31D8C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A46F634 GetSystemInfo,VirtualAlloc, 4_2_00007FFE1A46F634
Source: X4KSeQkYJT.exe, 00000004.00000002.1925365087.000001FB0FD2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2A348 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF7A6A2A348
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3DB40 GetProcessHeap, 2_2_00007FF7A6A3DB40
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2A348 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF7A6A2A348
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A3572C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF7A6A3572C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2A4F0 SetUnhandledExceptionFilter, 2_2_00007FF7A6A2A4F0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A29D44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FF7A6A29D44
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A2A348 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF7A6A2A348
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A3572C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF7A6A3572C
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A2A4F0 SetUnhandledExceptionFilter, 4_2_00007FF7A6A2A4F0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FF7A6A29D44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF7A6A29D44
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE13332C20 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FFE13332C20
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE13332660 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FFE13332660
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A451520 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FFE1A451520
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A451AF0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FFE1A451AF0
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A466104 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FFE1A466104
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A465B60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FFE1A465B60
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F5054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FFE1A4F5054
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A4F4A34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FFE1A4F4A34
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE1A51004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FFE1A51004C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Process created: C:\Users\user\Desktop\X4KSeQkYJT.exe "C:\Users\user\Desktop\X4KSeQkYJT.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A43A50 cpuid 2_2_00007FF7A6A43A50
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73522\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Queries volume information: C:\Users\user\Desktop\X4KSeQkYJT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A2A230 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00007FF7A6A2A230
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 2_2_00007FF7A6A40000 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 2_2_00007FF7A6A40000
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE13335544 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct, 4_2_00007FFE13335544
Source: C:\Users\user\Desktop\X4KSeQkYJT.exe Code function: 4_2_00007FFE133345C0 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct, 4_2_00007FFE133345C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546645 Sample: X4KSeQkYJT Startdate: 01/11/2024 Architecture: WINDOWS Score: 48 22 Machine Learning detection for sample 2->22 6 X4KSeQkYJT.exe 22 2->6         started        process3 file4 14 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 6->14 dropped 16 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 6->16 dropped 18 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 6->18 dropped 20 16 other files (none is malicious) 6->20 dropped 24 Found pyInstaller with non standard icon 6->24 10 X4KSeQkYJT.exe 1 6->10         started        12 conhost.exe 6->12         started        signatures5 process6
No contacted IP infos