Windows Analysis Report
UiF5hKi5o7.exe

Overview

General Information

Sample name: UiF5hKi5o7.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: D14972C18F26FD101DF4502B6D1DA4C36EA30679AE0E9BD12D6148E99F3C5652
Analysis ID: 1546646
MD5: e54e6d6f9a6e2abac7563407294cb9ee
SHA1: cb0853fd275bd4fc1354742fb2bb8b98095b39fa
SHA256: d14972c18f26fd101df4502b6d1da4c36ea30679ae0e9bd12d6148e99f3c5652
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Found pyInstaller with non standard icon
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 83.4% probability
Machine Learning detection for sample
Source: UiF5hKi5o7.exe Joe Sandbox ML: detected
Source: UiF5hKi5o7.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.1.dr
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222800542.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr
Source: Binary string: C:\A\39\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\python310.pdb source: UiF5hKi5o7.exe, 00000004.00000002.2246833194.00007FF8A8E1E000.00000002.00000001.01000000.00000005.sdmp, python310.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\select.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, select.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.1.dr
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772617BB0 FindFirstFileExW,FindClose, 1_2_00007FF772617BB0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772632044 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF772632044
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:64384
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:64593
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digi
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, libcrypto-1_1.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: UiF5hKi5o7.exe, 00000004.00000002.2245359860.0000022947158000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: UiF5hKi5o7.exe, 00000004.00000003.2234325231.000002294585C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2239835637.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232628185.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233510649.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2234043245.00000229457E6000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233121913.0000022945852000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2230956092.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233736541.00000229457D5000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2245337210.000002294585D000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231541657.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2233712095.0000022945858000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2231283061.0000022945855000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000003.2232290616.0000022945832000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: UiF5hKi5o7.exe, 00000004.00000002.2246833194.00007FF8A8E1E000.00000002.00000001.01000000.00000005.sdmp, python310.dll.1.dr String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE208E000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2226385108.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2224982798.000001AFE208C000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr, _lzma.pyd.1.dr, _decimal.pyd.1.dr, _hashlib.pyd.1.dr, _socket.pyd.1.dr, libcrypto-1_1.dll.1.dr, python310.dll.1.dr, select.pyd.1.dr, _bz2.pyd.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: libcrypto-1_1.dll.1.dr String found in binary or memory: https://www.openssl.org/H
Source: UiF5hKi5o7.exe, 00000001.00000003.2224391384.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.1.dr String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: UiF5hKi5o7.exe, 00000004.00000002.2245359860.00000229470D0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.1.dr String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Detected potential crypto function
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772616B80 1_2_00007FF772616B80
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77263741C 1_2_00007FF77263741C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726364D0 1_2_00007FF7726364D0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772628080 1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772631098 1_2_00007FF772631098
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772621404 1_2_00007FF772621404
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772631098 1_2_00007FF772631098
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726223DC 1_2_00007FF7726223DC
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726343E0 1_2_00007FF7726343E0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726184D0 1_2_00007FF7726184D0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77263A158 1_2_00007FF77263A158
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772621200 1_2_00007FF772621200
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772628080 1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77262328C 1_2_00007FF77262328C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77262E24C 1_2_00007FF77262E24C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772623AC8 1_2_00007FF772623AC8
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772622774 1_2_00007FF772622774
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77263674C 1_2_00007FF77263674C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772621814 1_2_00007FF772621814
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772620FF4 1_2_00007FF772620FF4
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77263487C 1_2_00007FF77263487C
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772632044 1_2_00007FF772632044
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772628904 1_2_00007FF772628904
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726260F0 1_2_00007FF7726260F0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77262ED60 1_2_00007FF77262ED60
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772621610 1_2_00007FF772621610
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772620DF0 1_2_00007FF772620DF0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77262A660 1_2_00007FF77262A660
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77262E6E0 1_2_00007FF77262E6E0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772627ECC 1_2_00007FF772627ECC
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772636ED0 1_2_00007FF772636ED0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726236C4 1_2_00007FF7726236C4
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 4_2_00007FF8BFB97508 4_2_00007FF8BFB97508
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: String function: 00007FF772611F60 appears 52 times
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_bz2.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2223280999.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_decimal.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_socket.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2222800542.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameselect.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameunicodedata.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_lzma.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_hashlib.pyd. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe Binary or memory string: OriginalFilename vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000004.00000002.2247277820.00007FF8A8F37000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamepython310.dll. vs UiF5hKi5o7.exe
Source: UiF5hKi5o7.exe, 00000004.00000002.2247392718.00007FF8BFBA7000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs UiF5hKi5o7.exe
Source: classification engine Classification label: mal52.winEXE@4/11@0/0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726177F0 GetLastError,FormatMessageW,WideCharToMultiByte, 1_2_00007FF7726177F0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_03
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162 Jump to behavior
Source: UiF5hKi5o7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File read: C:\Users\user\Desktop\UiF5hKi5o7.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe"
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe"
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe" Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File opened: C:\Users\user\Desktop\pyvenv.cfg Jump to behavior
Source: UiF5hKi5o7.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: UiF5hKi5o7.exe Static file information: File size 5462278 > 1048576
Source: UiF5hKi5o7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UiF5hKi5o7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UiF5hKi5o7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UiF5hKi5o7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UiF5hKi5o7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UiF5hKi5o7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UiF5hKi5o7.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: UiF5hKi5o7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1m 14 Dec 2021built on: Sun Dec 19 14:27:21 2021 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.1.dr
Source: Binary string: d:\a01\_work\4\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222800542.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, UiF5hKi5o7.exe, 00000004.00000002.2247348346.00007FF8BFBA1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\unicodedata.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228333608.000001AFE2088000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.1.dr
Source: Binary string: C:\A\39\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_socket.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2224157401.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb## source: _decimal.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_lzma.pdbMM source: UiF5hKi5o7.exe, 00000001.00000003.2223955958.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_decimal.pdb source: _decimal.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_hashlib.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2223547985.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\python310.pdb source: UiF5hKi5o7.exe, 00000004.00000002.2246833194.00007FF8A8E1E000.00000002.00000001.01000000.00000005.sdmp, python310.dll.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\select.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2228136199.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, select.pyd.1.dr
Source: Binary string: C:\A\35\b\bin\amd64\_bz2.pdb source: UiF5hKi5o7.exe, 00000001.00000003.2222960947.000001AFE2082000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.1.dr
Source: UiF5hKi5o7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UiF5hKi5o7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UiF5hKi5o7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UiF5hKi5o7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UiF5hKi5o7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: UiF5hKi5o7.exe Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.1.dr Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.1.dr Static PE information: section name: .00cfg
Source: python310.dll.1.dr Static PE information: section name: PyRuntim
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772655078 push rcx; ret 1_2_00007FF772655079
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772655048 push rcx; retn 0000h 1_2_00007FF772655049

Persistence and Installation Behavior
barindex
Found pyInstaller with non standard icon
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Process created: "C:\Users\user\Desktop\UiF5hKi5o7.exe"
Drops PE files
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe File created: C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726143E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00007FF7726143E0
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\python310.dll Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd Jump to dropped file
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772617BB0 FindFirstFileExW,FindClose, 1_2_00007FF772617BB0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772628080 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError, 1_2_00007FF772628080
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772632044 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00007FF772632044
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77261BADC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF77261BADC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772633C50 GetProcessHeap, 1_2_00007FF772633C50
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77261BC84 SetUnhandledExceptionFilter, 1_2_00007FF77261BC84
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77261B230 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00007FF77261B230
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77261BADC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF77261BADC
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77262AE08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00007FF77262AE08
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 4_2_00007FF8BFBA004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF8BFBA004C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Process created: C:\Users\user\Desktop\UiF5hKi5o7.exe "C:\Users\user\Desktop\UiF5hKi5o7.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF772639FA0 cpuid 1_2_00007FF772639FA0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\libcrypto-1_1.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\select.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\unicodedata.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\_bz2.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\_decimal.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\_socket.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\Desktop\UiF5hKi5o7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI55162 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF77261B9C0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00007FF77261B9C0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Code function: 1_2_00007FF7726364D0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 1_2_00007FF7726364D0
Source: C:\Users\user\Desktop\UiF5hKi5o7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546646 Sample: UiF5hKi5o7 Startdate: 01/11/2024 Architecture: WINDOWS Score: 52 22 Machine Learning detection for sample 2->22 24 AI detected suspicious sample 2->24 6 UiF5hKi5o7.exe 13 2->6         started        process3 file4 14 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 6->14 dropped 16 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 6->16 dropped 18 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 6->18 dropped 20 7 other files (none is malicious) 6->20 dropped 26 Found pyInstaller with non standard icon 6->26 10 UiF5hKi5o7.exe 1 6->10         started        12 conhost.exe 6->12         started        signatures5 process6
No contacted IP infos