Windows Analysis Report
saiya.exe

Overview

General Information

Sample name: saiya.exe
Analysis ID: 1562138
MD5: e73e1377e78c7bac85090c9c3cec2462
SHA1: 3edaf9d8a8fc26196280a94a8eed77449a632fc3
SHA256: 4d128967e50d20458a8a9022153ef7941b3e3f116cfdb4f6e611b983adf895b4
Tags: exemalwaretrojanuser-Joker
Infos:

Detection

AsyncRAT, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: saiya.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["45.141.26.134"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "usb.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Roaming\svchost.exe ReversingLabs: Detection: 83%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: saiya.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: 45.141.26.134
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: 7000
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: <123456789>
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: <Xwormmm>
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: V5.7
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: usb.exe
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: %AppData%
Source: 4.0.svchost.exe.a80000.0.unpack String decryptor: svchost.exe
Uses 32bit PE files
Source: saiya.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: saiya.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbtem source: svchost.exe, 00000004.00000002.4561570435.00000000010D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: saiyasart.exe, 00000008.00000002.2455706440.00007FFD8E611000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.2.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbOLED0884F7D973F80C1751804498CB9 source: svchost.exe, 00000004.00000002.4568119121.000000001BE55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: saiyasart.exe, 00000008.00000002.2452323909.00007FFD8DA02000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: saiyasart.exe, 00000002.00000003.2250093619.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2462133068.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: saiyasart.exe, 00000008.00000002.2461492318.00007FFDA3A88000.00000002.00000001.01000000.0000000F.sdmp, _tkinter.pyd.2.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: 0C:\Windows\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: C:\Windows\system32\wbem\fastprox.dlll\??\C:\Windows\symbols\dll\mscorlib.pdb source: svchost.exe, 00000004.00000002.4561570435.00000000010D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000004.00000002.4561173919.00000000010AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: saiyasart.exe, 00000008.00000002.2461910222.00007FFDA4171000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2456596612.00007FFDA3307000.00000002.00000001.01000000.00000015.sdmp, _hashlib.pyd.2.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: api-ms-win-crt-time-l1-1-0.dll.2.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: svchost.exe, 00000004.00000002.4567882913.000000001BE1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2458363517.00007FFDA345C000.00000002.00000001.01000000.0000000E.sdmp, _lzma.pyd.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2461684942.00007FFDA3AED000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ucrtbase.pdbUGP source: saiyasart.exe, 00000008.00000002.2455706440.00007FFD8E611000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2457006751.00007FFDA3429000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: symbols\dll\mscorlib.pdbpdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: saiyasart.exe, 00000008.00000002.2454044426.00007FFD8E2A4000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: saiyasart.exe, 00000008.00000002.2455876714.00007FFD9463F000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: saiyasart.exe, 00000008.00000002.2452323909.00007FFD8DA02000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb` source: svchost.exe, 00000004.00000002.4568119121.000000001BE55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: api-ms-win-core-file-l1-2-0.dll.2.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: saiyasart.exe, 00000002.00000003.2250093619.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2462133068.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: saiyasart.exe, 00000008.00000002.2462646549.00007FFDA5803000.00000002.00000001.01000000.00000014.sdmp, select.pyd.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: \??\C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 00000004.00000002.4568119121.000000001BE55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: svchost.exe, 00000004.00000002.4568439306.000000001BEB1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4561570435.00000000010EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: saiyasart.exe, 00000008.00000002.2456350405.00007FFD946D5000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2458363517.00007FFDA345C000.00000002.00000001.01000000.0000000E.sdmp, _lzma.pyd.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2463298768.00007FFDAC113000.00000002.00000001.01000000.00000019.sdmp, _queue.pyd.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: saiyasart.exe, 00000008.00000002.2462975519.00007FFDAC0F4000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: saiyasart.exe, 00000008.00000002.2462975519.00007FFDAC0F4000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: indoC:\Windows\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdb source: saiyasart.exe, 00000008.00000002.2456350405.00007FFD946D5000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: saiyasart.exe, 00000008.00000002.2463480430.00007FFDAC12D000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1407820 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 2_2_00007FF7E1407820
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14087E0 FindFirstFileExW,FindClose, 2_2_00007FF7E14087E0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1422A84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00007FF7E1422A84
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E14087E0 FindFirstFileExW,FindClose, 8_2_00007FF7E14087E0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E1422A84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_00007FF7E1422A84
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\Temp\_MEI69482\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49740 -> 45.141.26.134:7000
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.26.134:7000 -> 192.168.2.6:49740
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49740 -> 45.141.26.134:7000
Source: Network traffic Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.26.134:7000 -> 192.168.2.6:49740
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49740 -> 45.141.26.134:7000
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 208.95.112.1 80 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 45.141.26.134 7000 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 45.141.26.134
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Yara detected Generic Downloader
Source: Yara match File source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49740 -> 45.141.26.134:7000
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View IP Address: 172.67.19.24 172.67.19.24
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: unknown TCP traffic detected without corresponding DNS query: 45.141.26.134
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: saiyasart.exe, 00000008.00000002.2450297129.000002B62997C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.../back.jpeg
Source: saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.co
Source: saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.co%
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: saiyasart.exe, 00000008.00000003.2418376315.000002B628F01000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415517958.000002B628EF7000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628EFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628EF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: saiyasart.exe, 00000008.00000003.2434493444.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426874074.000002B6290F1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436249991.000002B628DA5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426874074.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449576036.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: saiyasart.exe, 00000008.00000002.2448500428.000002B628DFD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416594735.000002B628DF5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416742342.000002B628DF8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2419355907.000002B628DD9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421251058.000002B628DDA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417667714.000002B628DF9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426001663.000002B628DE8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442839575.000002B628DFC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417836781.000002B628DCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: saiyasart.exe, 00000008.00000003.2437989156.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437300945.000002B628F91000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438238672.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418376315.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442355583.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2448693465.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442549342.000002B628F98000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416742342.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422162828.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438877424.000002B628F97000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416947549.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437145035.000002B628F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: saiyasart.exe, 00000008.00000003.2437989156.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437300945.000002B628F91000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438238672.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418376315.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442549342.000002B628F98000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422162828.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438877424.000002B628F97000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437145035.000002B628F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl(
Source: saiyasart.exe, 00000008.00000003.2426874074.000002B6290F1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436249991.000002B628DA5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: saiyasart.exe, 00000008.00000003.2434493444.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426874074.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449576036.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: saiyasart.exe, 00000008.00000003.2426874074.000002B6290F1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlJ
Source: saiyasart.exe, 00000008.00000002.2449171810.000002B629077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: saiyasart.exe, 00000008.00000002.2448598741.000002B628E88000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2443593563.000002B628E88000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416594735.000002B628E64000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2440946184.000002B628E87000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421090535.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417048213.000002B628E77000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425584740.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428186224.000002B628E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442724569.000002B62906A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2435724226.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437717857.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442144746.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449171810.000002B629077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: saiyasart.exe, 00000008.00000002.2448598741.000002B628E88000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2443593563.000002B628E88000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416594735.000002B628E64000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2440946184.000002B628E87000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421090535.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417048213.000002B628E77000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425584740.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428186224.000002B628E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442724569.000002B62906A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2435724226.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437717857.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442144746.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449171810.000002B629077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2419355907.000002B628DD9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421251058.000002B628DDA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426001663.000002B628DE8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417836781.000002B628DCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: select.pyd.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: saiyasart.exe, 00000008.00000003.2361128711.000002B628FC4000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361128711.000002B628FB3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2435882414.000002B628FD4000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361771061.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2450297129.000002B629930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: saiyasart.exe, 00000008.00000003.2362335332.000002B628DA6000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421484930.000002B628DD2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421982055.000002B628DD3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417836781.000002B628DCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/
Source: saiyasart.exe, 00000008.00000003.2416594735.000002B628E64000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421090535.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2434217255.000002B628E92000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417048213.000002B628E77000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438503588.000002B628E93000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628E86000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425584740.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428186224.000002B628E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://google.com/mail/
Source: saiyasart.exe, 00000008.00000003.2416594735.000002B628E64000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438356979.000002B628EAE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417048213.000002B628E77000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425584740.000002B628EAE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423532031.000002B628EAD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442355583.000002B628EAE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628E86000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418165101.000002B628EAA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2441326431.000002B628EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: saiya.exe, 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4562131106.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: saiyasart.exe, 00000008.00000002.2448500428.000002B628DFD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416594735.000002B628DF5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416742342.000002B628DF8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417667714.000002B628DF9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442839575.000002B628DFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2432777900.000002B62909A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B629088000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449427888.000002B62909B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.es0
Source: saiyasart.exe, 00000008.00000002.2448500428.000002B628DFD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416594735.000002B628DF5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416742342.000002B628DF8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417667714.000002B628DF9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442839575.000002B628DFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.accv.estsF
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: saiyasart.exe, 00000008.00000003.2437989156.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416594735.000002B628E64000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2448598741.000002B628E82000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437300945.000002B628F91000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438238672.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418376315.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421090535.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442549342.000002B628F98000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422162828.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417048213.000002B628E77000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438877424.000002B628F97000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425584740.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428186224.000002B628E7F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437145035.000002B628F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: svchost.exe, 00000004.00000002.4562131106.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2432777900.000002B62909A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2448500428.000002B628DFD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416594735.000002B628DF5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416742342.000002B628DF8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B629088000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449427888.000002B62909B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417667714.000002B628DF9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442839575.000002B628DFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449171810.000002B629080000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442724569.000002B62906A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2435724226.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437717857.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442144746.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2443828015.000002B62907F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2432777900.000002B62909A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B629088000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449427888.000002B62909B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: saiyasart.exe, 00000008.00000003.2414842185.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2433806687.000002B6290AD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2427403775.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2432777900.000002B62909A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B629088000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449427888.000002B62909B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2432777900.000002B62909A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2433806687.000002B6290AD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B629088000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449427888.000002B62909B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2427403775.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.accv.es00
Source: saiyasart.exe, 00000008.00000003.2419948412.000002B628F07000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418376315.000002B628F01000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415517958.000002B628EF7000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438176392.000002B628F25000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436183660.000002B6290D8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2427329100.000002B6290C2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423757282.000002B628F08000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437763411.000002B628F08000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2435280625.000002B6290D1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2434493444.000002B6290C5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628EF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: saiyasart.exe, 00000002.00000003.2250481738.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250711134.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251757534.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, _tkinter.pyd.2.dr, _queue.pyd.2.dr, _lzma.pyd.2.dr, _hashlib.pyd.2.dr, tcl86t.dll.2.dr, select.pyd.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: saiyasart.exe, 00000008.00000003.2435149176.000002B629116000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449662021.000002B629116000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437931609.000002B628DDF000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B629116000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2419355907.000002B628DD9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421251058.000002B628DDA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426725763.000002B628DDD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B629116000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B629116000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417836781.000002B628DCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: saiyasart.exe, 00000008.00000003.2416594735.000002B628E64000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2443593563.000002B628E86000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421090535.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417048213.000002B628E77000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628E86000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425584740.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428186224.000002B628E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: saiyasart.exe, 00000008.00000003.2420913342.000002B6289B0000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417283192.000002B6289A5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2446635096.000002B6289D1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B6289A3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2443400910.000002B6289CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: saiyasart.exe, 00000008.00000003.2420253205.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B629088000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: saiyasart.exe, 00000002.00000003.2468118892.0000029171FFA000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000002.00000003.2468198509.000002917200F000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2456868495.00007FFDA3348000.00000008.00000001.01000000.00000011.sdmp String found in binary or memory: http://www.zlib.net/D
Source: saiyasart.exe, 00000008.00000002.2447309769.000002B628A8B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418864004.000002B628A7B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361128711.000002B628FC4000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361128711.000002B628FB3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2439239550.000002B628A7B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424208586.000002B628A7B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2435882414.000002B628FD4000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361771061.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421354783.000002B628A7B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B628A7B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361226863.000002B628A8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wwwsearch.sf.net/):
Source: saiyasart.exe, 00000008.00000002.2445447622.000002B628760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.gg/jarvisbxy
Source: saiyasart.exe, 00000008.00000002.2445447622.000002B628760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.gg/jarvisbxybound
Source: saiyasart.exe, 00000008.00000002.2447943474.000002B628B60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://discord.gg/rank1shopcomeback
Source: saiyasart.exe, 00000008.00000003.2362335332.000002B628DA6000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421484930.000002B628DC8000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418559311.000002B628DAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445269828.000002B628510000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445269828.000002B62858C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445269828.000002B62858C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445269828.000002B62858C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445269828.000002B62858C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445447622.000002B628760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445447622.000002B628760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445269828.000002B62858C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: saiyasart.exe, 00000008.00000003.2343602197.000002B62887D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417087905.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418652596.000002B628875000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445651234.000002B628879000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423057081.000002B628878000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: saiyasart.exe, 00000008.00000002.2449980646.000002B6295F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: saiyasart.exe, 00000008.00000003.2418833962.000002B628EE2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416556742.000002B628ECB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416947549.000002B628ECC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: saiyasart.exe, 00000008.00000003.2343602197.000002B62887D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417087905.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418652596.000002B628875000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445651234.000002B628879000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445614857.000002B628876000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423057081.000002B628878000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: saiyasart.exe, 00000008.00000002.2450297129.000002B6299A4000.00000004.00001000.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415048494.000002B629B68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: saiyasart.exe, 00000008.00000002.2450297129.000002B6299A4000.00000004.00001000.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421354783.000002B628A72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445269828.000002B62858C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: saiyasart.exe, 00000008.00000003.2423057081.000002B628878000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: saiyasart.exe, 00000008.00000003.2343602197.000002B62887D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417087905.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418652596.000002B628875000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445651234.000002B628879000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445614857.000002B628876000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423057081.000002B628878000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: saiyasart.exe, 00000008.00000003.2420975453.000002B628AAC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418864004.000002B628A7B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2358244822.000002B628AAB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361226863.000002B628AAB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2356663770.000002B628DAE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B628A7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: saiyasart.exe, 00000008.00000003.2343602197.000002B62887D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417087905.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343335160.000002B628883000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2343378493.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418652596.000002B628875000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445651234.000002B628879000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445614857.000002B628876000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423057081.000002B628878000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: saiyasart.exe, 00000008.00000002.2449980646.000002B6295F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: saiyasart.exe, 00000008.00000003.2439343684.000002B6288E3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423360570.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417087905.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437354915.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/29200
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: saiyasart.exe, 00000008.00000003.2437989156.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362335332.000002B628DA6000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2440250568.000002B628965000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2448310282.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436030802.000002B628EDC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437300945.000002B628F91000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438238672.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418376315.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437070183.000002B628961000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442549342.000002B628F98000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422162828.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416556742.000002B628ECB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361771061.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438877424.000002B628F97000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425897466.000002B628ED5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422731992.000002B628DC2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416947549.000002B628ECC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2441391511.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: saiyasart.exe, 00000008.00000003.2437989156.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362335332.000002B628DA6000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2448310282.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437300945.000002B628F91000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438238672.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418376315.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442549342.000002B628F98000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422162828.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361771061.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438877424.000002B628F97000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422731992.000002B628DC2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2441391511.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428826805.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418559311.000002B628DAE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437145035.000002B628F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail
Source: saiyasart.exe, 00000008.00000003.2423646185.000002B628A0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://google.com/mail/
Source: saiyasart.exe, 00000008.00000003.2436030802.000002B628ED0000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416556742.000002B628ECB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416947549.000002B628ECC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421173102.000002B628ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: saiyasart.exe, 00000008.00000003.2421173102.000002B628ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417048213.000002B628E77000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428702397.000002B6289F9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437717857.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442144746.000002B62905C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421648258.000002B629017000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442189597.000002B6289F9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2446697965.000002B6289F9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B6289A3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2447707364.000002B628B39000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B62905B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418339244.000002B6289F7000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2440053769.000002B6289F9000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2443566997.000002B628B37000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449171810.000002B629017000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425584740.000002B628E7C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428186224.000002B628E7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/get
Source: saiyasart.exe, 00000008.00000003.2424208586.000002B628A60000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2355922595.000002B628A38000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417283192.000002B6289A5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417870593.000002B628A16000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2356766538.000002B628A47000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B6289A3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418864004.000002B628A46000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442657100.000002B628A69000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421354783.000002B628A5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://httpbin.org/post
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: saiyasart.exe, 00000008.00000003.2421173102.000002B628ECD000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B628928000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://json.org
Source: text.tcl.2.dr String found in binary or memory: https://linuxreviews.org/HOWTO_change_the_mouse_speed_in_X
Source: saiyasart.exe, 00000008.00000003.2417087905.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2419876657.000002B6288FE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423566151.000002B628907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mahler:8092/site-updates.py
Source: saiyasart.exe, 00000008.00000003.2361226863.000002B628B2E000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362275053.000002B628B2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: saiyasart.exe, 00000008.00000002.2451036207.000002B629AD8000.00000004.00001000.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445447622.000002B628760000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/SCjncyJG
Source: saiyasart.exe, 00000008.00000002.2451036207.000002B629AD8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/SCjncyJGP
Source: saiyasart.exe, 00000008.00000002.2449887045.000002B629180000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://peps.python.org/pep-0205/
Source: saiyasart.exe, 00000008.00000002.2454044426.00007FFD8E2A4000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://peps.python.org/pep-0263/
Source: saiyasart.exe, 00000008.00000002.2451036207.000002B629A70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: saiyasart.exe, 00000008.00000003.2424208586.000002B628A60000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2355922595.000002B628A38000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417283192.000002B6289A5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2450297129.000002B629A2C000.00000004.00001000.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417870593.000002B628A16000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2356766538.000002B628A47000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B6289A3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418864004.000002B628A46000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442657100.000002B628A69000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421354783.000002B628A5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://requests.readthedocs.io
Source: saiyasart.exe, 00000008.00000003.2416065286.000002B628ACF000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2419508357.000002B628AD0000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422089687.000002B628AF3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436386916.000002B628AFF000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418864004.000002B628ACF000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361226863.000002B628ACF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: saiyasart.exe, 00000008.00000003.2418525485.000002B62892A000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417087905.000002B628928000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2359548063.000002B628928000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2435786869.000002B62892C000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362427254.000002B628928000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B628928000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: saiyasart.exe, 00000008.00000003.2440250568.000002B628965000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436030802.000002B628EDC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437070183.000002B628961000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416556742.000002B628ECB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2425897466.000002B628ED5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416947549.000002B628ECC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421173102.000002B628ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: saiyasart.exe, 00000008.00000002.2450159011.000002B629820000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyp
Source: saiyasart.exe, 00000008.00000002.2449887045.000002B629180000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: saiyasart.exe, 00000008.00000002.2456423331.00007FFD94710000.00000002.00000001.01000000.00000018.sdmp, saiyasart.exe, 00000008.00000002.2452692591.00007FFD8DB43000.00000002.00000001.01000000.00000016.sdmp String found in binary or memory: https://www.openssl.org/H
Source: saiyasart.exe, 00000008.00000003.2424208586.000002B628A60000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2355922595.000002B628A38000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417283192.000002B6289A5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417870593.000002B628A16000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2356766538.000002B628A47000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B6289A3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418864004.000002B628A46000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442657100.000002B628A69000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421354783.000002B628A5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org
Source: saiyasart.exe, 00000008.00000003.2417087905.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2419876657.000002B6288FE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415676179.000002B6288B2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423566151.000002B628907000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/
Source: saiyasart.exe, 00000008.00000002.2445269828.000002B628510000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: saiyasart.exe, 00000008.00000002.2454718458.00007FFD8E414000.00000008.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.python.org/psf/license/
Source: saiyasart.exe, 00000008.00000002.2454044426.00007FFD8E2A4000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.python.org/psf/license/)
Source: saiyasart.exe, 00000008.00000002.2447943474.000002B628B60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.rank1shop.com/
Source: saiyasart.exe, 00000008.00000003.2418833962.000002B628EE2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2421613466.000002B628A3E000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417283192.000002B6289A5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416556742.000002B628ECB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417870593.000002B628A16000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2441127572.000002B628EE3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428552008.000002B628EE3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416065286.000002B6289A3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436030802.000002B628EE3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426428337.000002B628A41000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362089391.000002B628EC1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2416947549.000002B628ECC000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2448727376.000002B628EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: saiyasart.exe, 00000008.00000003.2414842185.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2427329100.000002B6290C2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2424630144.000002B6290AB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2434955951.000002B6290E6000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2434493444.000002B6290C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: saiyasart.exe, 00000008.00000003.2434493444.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2414842185.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2436249991.000002B628DA5000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2420253205.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2426874074.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2449576036.000002B6290FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: saiyasart.exe, 00000008.00000003.2437989156.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2362335332.000002B628DA6000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2448310282.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437300945.000002B628F91000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417619877.000002B628DA1000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438238672.000002B628F94000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418376315.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2442549342.000002B628F98000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422162828.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2361771061.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2438877424.000002B628F97000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2415350474.000002B628F6D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2422731992.000002B628DC2000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2441391511.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2428826805.000002B628DC3000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418559311.000002B628DAE000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2437145035.000002B628F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://yahoo.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: saiya.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Contains functionality to log keystrokes (.Net Source)
Source: svchost.exe.0.dr, XLogger.cs .Net Code: KeyboardLayout
Source: 0.2.saiya.exe.313c840.2.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 0.2.saiya.exe.3146680.1.raw.unpack, XLogger.cs .Net Code: KeyboardLayout

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Roaming\svchost.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1427B74 2_2_00007FF7E1427B74
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1407E40 2_2_00007FF7E1407E40
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1426E10 2_2_00007FF7E1426E10
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1422A84 2_2_00007FF7E1422A84
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1421AD8 2_2_00007FF7E1421AD8
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14112CC 2_2_00007FF7E14112CC
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14252BC 2_2_00007FF7E14252BC
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E141EAC4 2_2_00007FF7E141EAC4
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E142A938 2_2_00007FF7E142A938
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E140A20D 2_2_00007FF7E140A20D
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14099D4 2_2_00007FF7E14099D4
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1416C90 2_2_00007FF7E1416C90
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14114D8 2_2_00007FF7E14114D8
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1410CB8 2_2_00007FF7E1410CB8
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1413B28 2_2_00007FF7E1413B28
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14143F0 2_2_00007FF7E14143F0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14123C0 2_2_00007FF7E14123C0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1419670 2_2_00007FF7E1419670
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1427628 2_2_00007FF7E1427628
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1421AD8 2_2_00007FF7E1421AD8
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1424E20 2_2_00007FF7E1424E20
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14136F0 2_2_00007FF7E14136F0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14116DC 2_2_00007FF7E14116DC
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1410EBC 2_2_00007FF7E1410EBC
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1408D60 2_2_00007FF7E1408D60
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E141F5D8 2_2_00007FF7E141F5D8
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E141ADC0 2_2_00007FF7E141ADC0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E142708C 2_2_00007FF7E142708C
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E140983B 2_2_00007FF7E140983B
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14110C8 2_2_00007FF7E14110C8
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E141EF58 2_2_00007FF7E141EF58
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1412758 2_2_00007FF7E1412758
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1413F2C 2_2_00007FF7E1413F2C
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1418FC0 2_2_00007FF7E1418FC0
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD34376522 4_2_00007FFD34376522
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD34371631 4_2_00007FFD34371631
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD34375776 4_2_00007FFD34375776
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD3437D818 4_2_00007FFD3437D818
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD34375279 4_2_00007FFD34375279
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD34379088 4_2_00007FFD34379088
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E1427B74 8_2_00007FF7E1427B74
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E1426E10 8_2_00007FF7E1426E10
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E1413F2C 8_2_00007FF7E1413F2C
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E1422A84 8_2_00007FF7E1422A84
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DD97FE0 8_2_00007FFD8DD97FE0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DD71BD0 8_2_00007FFD8DD71BD0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DD6F640 8_2_00007FFD8DD6F640
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DD8C640 8_2_00007FFD8DD8C640
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DDDE640 8_2_00007FFD8DDDE640
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DD70650 8_2_00007FFD8DD70650
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DCEFE20 8_2_00007FFD8DCEFE20
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DCF55EF 8_2_00007FFD8DCF55EF
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DD06DF0 8_2_00007FFD8DD06DF0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DE04DF0 8_2_00007FFD8DE04DF0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DCF55D2 8_2_00007FFD8DCF55D2
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: String function: 00007FFD8DDDA3F0 appears 179 times
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: String function: 00007FF7E1401E50 appears 88 times
One or more processes crash
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4548 -s 2496
Sample file is different than original file name gathered from version info
Source: saiya.exe, 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesvchost.exe4 vs saiya.exe
Uses 32bit PE files
Source: saiya.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: svchost.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.saiya.exe.313c840.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.saiya.exe.313c840.2.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.saiya.exe.313c840.2.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.saiya.exe.3146680.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.saiya.exe.3146680.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.saiya.exe.3146680.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.saiya.exe.313c840.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.saiya.exe.313c840.2.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.saiya.exe.3146680.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.saiya.exe.3146680.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/1023@2/3
Source: C:\Users\user\Desktop\saiya.exe File created: C:\Users\user\AppData\Roaming\saiyasart.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:504:120:WilError_03
Source: C:\Users\user\AppData\Roaming\svchost.exe Mutant created: NULL
Source: C:\Users\user\Desktop\saiya.exe Mutant created: \Sessions\1\BaseNamedObjects\gggu61YxmIseua3yr
Source: C:\Users\user\AppData\Roaming\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\dSzDnC4txCD67cS4
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4548
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482 Jump to behavior
Source: saiya.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: saiya.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\saiya.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: saiyasart.exe String found in binary or memory: -startline must be less than or equal to -endline
Source: saiyasart.exe String found in binary or memory: -help
Source: unknown Process created: C:\Users\user\Desktop\saiya.exe "C:\Users\user\Desktop\saiya.exe"
Source: C:\Users\user\Desktop\saiya.exe Process created: C:\Users\user\AppData\Roaming\saiyasart.exe "C:\Users\user\AppData\Roaming\saiyasart.exe"
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\saiya.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Process created: C:\Users\user\AppData\Roaming\saiyasart.exe "C:\Users\user\AppData\Roaming\saiyasart.exe"
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4548 -s 2496
Source: C:\Users\user\Desktop\saiya.exe Process created: C:\Users\user\AppData\Roaming\saiyasart.exe "C:\Users\user\AppData\Roaming\saiyasart.exe" Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Process created: C:\Users\user\AppData\Roaming\saiyasart.exe "C:\Users\user\AppData\Roaming\saiyasart.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\saiya.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: python3.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: tcl86t.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: tk86t.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: zlib1.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: libcrypto-3.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: libssl-3.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll
Source: C:\Users\user\Desktop\saiya.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\saiya.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: saiya.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: saiya.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: saiya.exe Static file information: File size 14649344 > 1048576
Source: saiya.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xdec400
Source: saiya.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbtem source: svchost.exe, 00000004.00000002.4561570435.00000000010D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: saiyasart.exe, 00000008.00000002.2455706440.00007FFD8E611000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.2.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbOLED0884F7D973F80C1751804498CB9 source: svchost.exe, 00000004.00000002.4568119121.000000001BE55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: saiyasart.exe, 00000008.00000002.2452323909.00007FFD8DA02000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: api-ms-win-core-memory-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: saiyasart.exe, 00000002.00000003.2250093619.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2462133068.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: saiyasart.exe, 00000008.00000002.2461492318.00007FFDA3A88000.00000002.00000001.01000000.0000000F.sdmp, _tkinter.pyd.2.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: 0C:\Windows\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: api-ms-win-core-heap-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: C:\Windows\system32\wbem\fastprox.dlll\??\C:\Windows\symbols\dll\mscorlib.pdb source: svchost.exe, 00000004.00000002.4561570435.00000000010D9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000004.00000002.4561173919.00000000010AF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: saiyasart.exe, 00000008.00000002.2461910222.00007FFDA4171000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: saiyasart.exe, 00000002.00000003.2250937812.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2456596612.00007FFDA3307000.00000002.00000001.01000000.00000015.sdmp, _hashlib.pyd.2.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: api-ms-win-crt-time-l1-1-0.dll.2.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: svchost.exe, 00000004.00000002.4567882913.000000001BE1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2458363517.00007FFDA345C000.00000002.00000001.01000000.0000000E.sdmp, _lzma.pyd.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: saiyasart.exe, 00000002.00000003.2250311561.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2461684942.00007FFDA3AED000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: ucrtbase.pdbUGP source: saiyasart.exe, 00000008.00000002.2455706440.00007FFD8E611000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: saiyasart.exe, 00000002.00000003.2251385601.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2457006751.00007FFDA3429000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: symbols\dll\mscorlib.pdbpdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: api-ms-win-crt-stdio-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: saiyasart.exe, 00000008.00000002.2454044426.00007FFD8E2A4000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: saiyasart.exe, 00000008.00000002.2455876714.00007FFD9463F000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: saiyasart.exe, 00000008.00000002.2452323909.00007FFD8DA02000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb` source: svchost.exe, 00000004.00000002.4568119121.000000001BE55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: api-ms-win-core-file-l1-2-0.dll.2.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: api-ms-win-core-profile-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.2.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: saiyasart.exe, 00000002.00000003.2250093619.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2462133068.00007FFDA4341000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: api-ms-win-core-debug-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: saiyasart.exe, 00000008.00000002.2462646549.00007FFDA5803000.00000002.00000001.01000000.00000014.sdmp, select.pyd.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: \??\C:\Users\user\AppData\Roaming\svchost.PDB source: svchost.exe, 00000004.00000002.4568119121.000000001BE55000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: svchost.exe, 00000004.00000002.4568439306.000000001BEB1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4561570435.00000000010EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: saiyasart.exe, 00000008.00000002.2456350405.00007FFD946D5000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: saiyasart.exe, 00000002.00000003.2251087125.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2458363517.00007FFDA345C000.00000002.00000001.01000000.0000000E.sdmp, _lzma.pyd.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: saiyasart.exe, 00000002.00000003.2251281485.000002917200D000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2463298768.00007FFDAC113000.00000002.00000001.01000000.00000019.sdmp, _queue.pyd.2.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: api-ms-win-core-namedpipe-l1-1-0.dll.2.dr
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: saiyasart.exe, 00000008.00000002.2462975519.00007FFDAC0F4000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: saiyasart.exe, 00000008.00000002.2462975519.00007FFDAC0F4000.00000002.00000001.01000000.0000001D.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: api-ms-win-core-processthreads-l1-1-1.dll.2.dr
Source: Binary string: indoC:\Windows\mscorlib.pdb source: svchost.exe, 00000004.00000002.4569283593.000000001D949000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libssl-3.pdb source: saiyasart.exe, 00000008.00000002.2456350405.00007FFD946D5000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: saiyasart.exe, 00000008.00000002.2463480430.00007FFDAC12D000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.2.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: api-ms-win-crt-conio-l1-1-0.dll.2.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: svchost.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.saiya.exe.313c840.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.saiya.exe.313c840.2.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.saiya.exe.3146680.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.saiya.exe.3146680.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: svchost.exe.0.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Messages.cs .Net Code: Memory
Source: 0.2.saiya.exe.313c840.2.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.saiya.exe.313c840.2.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.saiya.exe.313c840.2.raw.unpack, Messages.cs .Net Code: Memory
Source: 0.2.saiya.exe.3146680.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.saiya.exe.3146680.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.saiya.exe.3146680.1.raw.unpack, Messages.cs .Net Code: Memory
PE file contains sections with non-standard names
Source: python312.dll.2.dr Static PE information: section name: PyRuntim
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\saiya.exe Code function: 0_2_00007FFD343900BD pushad ; iretd 0_2_00007FFD343900C1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD3437809E push eax; ret 4_2_00007FFD343780AD
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD343700BD pushad ; iretd 4_2_00007FFD343700C1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD34378050 pushad ; ret 4_2_00007FFD3437809D

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\saiya.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_wmi.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\libssl-3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_ssl.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\tcl86t.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\saiya.exe File created: C:\Users\user\AppData\Roaming\saiyasart.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\libffi-8.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\tk86t.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\libcrypto-3.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\zlib1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\saiya.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_tkinter.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\charset_normalizer\md__mypyc.cp312-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\charset_normalizer\md.cp312-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File created: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: saiya.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1404C60 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError, 2_2_00007FF7E1404C60
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: saiya.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: svchost.exe, 00000004.00000002.4562131106.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: saiya.exe, 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: SBIEDLL.DLLINFO
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\saiya.exe Memory allocated: 3060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Memory allocated: 1B120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: FA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 1AEA0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\saiya.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\svchost.exe Window / User API: threadDelayed 2982 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Window / User API: threadDelayed 6841 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_queue.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_wmi.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_ssl.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\python312.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_decimal.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_tkinter.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\charset_normalizer\md__mypyc.cp312-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\charset_normalizer\md.cp312-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69482\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\saiya.exe TID: 4900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5824 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1407820 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 2_2_00007FF7E1407820
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E14087E0 FindFirstFileExW,FindClose, 2_2_00007FF7E14087E0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1422A84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00007FF7E1422A84
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E14087E0 FindFirstFileExW,FindClose, 8_2_00007FF7E14087E0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FF7E1422A84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_00007FF7E1422A84
Source: C:\Users\user\Desktop\saiya.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\Temp\_MEI69482\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\saiyasart.exe File opened: C:\Users\user\AppData\
Source: svchost.exe, 00000004.00000002.4567685016.000000001BE06000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: vmware
Source: saiyasart.exe, 00000008.00000003.2415676179.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2417087905.000002B628866000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423360570.000002B628887000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2440024102.000002B62888B000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2418652596.000002B628875000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000003.2423057081.000002B628878000.00000004.00000020.00020000.00000000.sdmp, saiyasart.exe, 00000008.00000002.2445718282.000002B62888C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 4_2_00007FFD34376D21 CheckRemoteDebuggerPresent, 4_2_00007FFD34376D21
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E141B4F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF7E141B4F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1424690 GetProcessHeap, 2_2_00007FF7E1424690
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E141B4F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF7E141B4F8
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E140C69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF7E140C69C
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E140BE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FF7E140BE00
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E140C840 SetUnhandledExceptionFilter, 2_2_00007FF7E140C840
Source: C:\Users\user\Desktop\saiya.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 208.95.112.1 80 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 45.141.26.134 7000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\saiya.exe Process created: C:\Users\user\AppData\Roaming\saiyasart.exe "C:\Users\user\AppData\Roaming\saiyasart.exe" Jump to behavior
Source: C:\Users\user\Desktop\saiya.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Process created: C:\Users\user\AppData\Roaming\saiyasart.exe "C:\Users\user\AppData\Roaming\saiyasart.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E142A780 cpuid 2_2_00007FF7E142A780
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\saiya.exe Queries volume information: C:\Users\user\Desktop\saiya.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\.img VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\encoding VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\http1.0 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\msgs VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\opt0.4 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\Africa VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America\Argentina VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America\Argentina VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America\Argentina VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America\Argentina VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America\Argentina VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America\Argentina VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_tcl_data\tzdata\America VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\ucrtbase.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482 VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482 VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482 VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482 VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482 VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69482\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Queries volume information: C:\Users\user\AppData\Roaming\saiyasart.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E140C580 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00007FF7E140C580
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 8_2_00007FFD8DE325C0 GetUserNameW, 8_2_00007FFD8DE325C0
Source: C:\Users\user\AppData\Roaming\saiyasart.exe Code function: 2_2_00007FF7E1426E10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 2_2_00007FF7E1426E10
Source: C:\Users\user\Desktop\saiya.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: saiya.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000004.00000002.4568439306.000000001BE98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4562131106.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: saiya.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 0.2.saiya.exe.313c840.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchost.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.313c840.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.saiya.exe.3146680.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2247876687.0000000003121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.2244827083.0000000000A82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4562131106.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: saiya.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 4548, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562138 Sample: saiya.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 47 pastebin.com 2->47 49 ip-api.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 65 15 other signatures 2->65 9 saiya.exe 4 2->9         started        signatures3 63 Connects to a pastebin service (likely for C&C) 47->63 process4 file5 41 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\Roaming\saiyasart.exe, PE32+ 9->43 dropped 45 C:\Users\user\AppData\Local\...\saiya.exe.log, CSV 9->45 dropped 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->67 69 Drops PE files with benign system names 9->69 13 svchost.exe 3 9->13         started        17 saiyasart.exe 1002 9->17         started        signatures6 process7 dnsIp8 53 45.141.26.134, 49740, 7000 SPECTRAIPSpectraIPBVNL Netherlands 13->53 55 ip-api.com 208.95.112.1, 49725, 80 TUT-ASUS United States 13->55 71 System process connects to network (likely due to code injection or exploit) 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->75 77 4 other signatures 13->77 20 schtasks.exe 1 13->20         started        22 WerFault.exe 13->22         started        33 C:\Users\user\AppData\Local\...\zlib1.dll, PE32+ 17->33 dropped 35 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->35 dropped 37 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 17->37 dropped 39 58 other files (none is malicious) 17->39 dropped 24 saiyasart.exe 17->24         started        27 conhost.exe 17->27         started        file9 signatures10 process11 dnsIp12 29 conhost.exe 20->29         started        51 pastebin.com 172.67.19.24, 443, 49755 CLOUDFLARENETUS United States 24->51 31 WMIC.exe 24->31         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
172.67.19.24
 pastebin.com United States
13335 CLOUDFLARENETUS false
45.141.26.134
 unknown Netherlands
62068 SPECTRAIPSpectraIPBVNL true

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
pastebin.com 172.67.19.24 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
45.141.26.134 true
  • Avira URL Cloud: safe
 unknown