Windows Analysis Report
disk-io.exe

Overview

General Information

Sample name:	disk-io.exe
Analysis ID:	1571440
MD5:	debd16861b6996fea26c7573fe5f8458
SHA1:	30a964aacf1e5b9b2d3a56f7afdad874b8efc0e8
SHA256:	2293ffbbadadb3c8b2657312bd7bb1dbad648663f1b1fc6be41b295756c834a6
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

Source: disk-io.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: disk-io.exe	String found in binary or memory: http://.../back.jpeg
Source: disk-io.exe	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: disk-io.exe	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: disk-io.exe	String found in binary or memory: http://docs.python.org/3/library/functools.html#functools.lru_cache.
Source: disk-io.exe	String found in binary or memory: http://goo.gl/fmebo.
Source: disk-io.exe	String found in binary or memory: http://goo.gl/zeJZl.
Source: disk-io.exe	String found in binary or memory: http://linuxdevcenter.com/pub/a/linux/2000/11/16/LinuxAdmin.html
Source: disk-io.exe	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: disk-io.exe	String found in binary or memory: http://serverfault.com/a/417946
Source: disk-io.exe	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: disk-io.exe	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: disk-io.exe	String found in binary or memory: http://www.crummy.com/software/BeautifulSoup/
Source: disk-io.exe	String found in binary or memory: http://www.crummy.com/software/BeautifulSoup/bs4/doc/
Source: disk-io.exe	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: disk-io.exe	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: disk-io.exe	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: disk-io.exe	String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r6
Source: disk-io.exe	String found in binary or memory: http://www.megginson.com/SAX/.
Source: disk-io.exe	String found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: disk-io.exe	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: disk-io.exe	String found in binary or memory: http://wwwsearch.sf.net/):
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: disk-io.exe	String found in binary or memory: https://1.2.3.4/api/v2/?resource=cpu
Source: disk-io.exe	String found in binary or memory: https://api.github.com/repos/
Source: disk-io.exe	String found in binary or memory: https://api.infomaniak.com
Source: disk-io.exe	String found in binary or memory: https://api.infomaniak.comT
Source: disk-io.exe	String found in binary or memory: https://arstechnica.com/civis/viewtopic.php?f=19&t=465002.
Source: disk-io.exe	String found in binary or memory: https://blog.famzah.net/2014/09/24/.
Source: disk-io.exe	String found in binary or memory: https://bootlin.com/blog/find-root-device/
Source: disk-io.exe	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: disk-io.exe	String found in binary or memory: https://dev.w3.org/html5/spec-LC/text-level-semantics.html#the-rp-element
Source: disk-io.exe	String found in binary or memory: https://dev.w3.org/html5/spec-LC/text-level-semantics.html#the-rt-element
Source: disk-io.exe	String found in binary or memory: https://developer.infomaniak.com/docs/api/get/1/swiss_backups
Source: disk-io.exe	String found in binary or memory: https://developer.infomaniak.com/docs/api/get/1/swiss_backups/%7Bswiss_backup_id%7D/slots/%7Bslot_id
Source: disk-io.exe	String found in binary or memory: https://developer.infomaniak.com/docs/api/get/2/events
Source: disk-io.exe	String found in binary or memory: https://docs.nodebb.org/api/
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/2/library/codecs.html#codec-base-classes
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/2/library/subprocess.html
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/3/library/datetime.html#strftime-and-strptime-format-codes
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/3/library/socket.html
Source: disk-io.exe	String found in binary or memory: https://download.qnap.com/dev/API_QNAP_QTS_Authentication.pdf
Source: disk-io.exe	String found in binary or memory: https://downloads.apache.org/httpd/Announcement2.4.html
Source: disk-io.exe	String found in binary or memory: https://downloads.apache.org/httpd/Announcement2.4.htmlFu2012-02-21D
Source: disk-io.exe	String found in binary or memory: https://endoflife.date
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/apache.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/apache.jsonuhttps://endoflife.date/api/fedora.jsonuhttps://endoflife.date
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/example.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/fedora.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/fortios.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/gitlab.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/grafana.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/keycloak.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/mariadb.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/mysql.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/nextcloud.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/php.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/postfix.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/postgresql.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/python.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/redhat-build-of-openjdk.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/redis.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/rhel.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/solr.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/wordpress.json
Source: disk-io.exe	String found in binary or memory: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
Source: disk-io.exe	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: disk-io.exe	String found in binary or memory: https://github.com/famzah/linux-memavailable-procfs/issues/2
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/blob/master/psutil/_common.py
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/1915).
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/906.
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/966.
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/pull/1665
Source: disk-io.exe	String found in binary or memory: https://github.com/mpounsett/nagiosplugin/blob/master/nagiosplugin/range.py
Source: disk-io.exe	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: disk-io.exe	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: disk-io.exe	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: disk-io.exe	String found in binary or memory: https://github.com/surfer190/veeam/blob/master/veeam/client.py.
Source: disk-io.exe	String found in binary or memory: https://github.com/surfer190/veeam/blob/master/veeam/client.py.a__doc__a__file__a__spec__aoriginahas
Source: disk-io.exe	String found in binary or memory: https://github.com/ypcrts/fqdn/blob/develop/fqdn
Source: disk-io.exe	String found in binary or memory: https://github.com/zaibon/py-dmidecode).
Source: disk-io.exe	String found in binary or memory: https://gitlab.com/procps-ng/procps/blob/
Source: disk-io.exe	String found in binary or memory: https://gitlab.com/procps-ng/procps/issues/42
Source: disk-io.exe	String found in binary or memory: https://html.spec.whatwg.org/multipage/parsing.html#determining-the-character-encoding
Source: disk-io.exe	String found in binary or memory: https://html.spec.whatwg.org/multipage/parsing.html#parsing-with-a-known-character-encoding
Source: disk-io.exe	String found in binary or memory: https://httpbin.org/get
Source: disk-io.exe	String found in binary or memory: https://httpbin.org/post
Source: disk-io.exe	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: disk-io.exe	String found in binary or memory: https://ipecho.net/plain
Source: disk-io.exe	String found in binary or memory: https://ipinfo.io/ip
Source: disk-io.exe	String found in binary or memory: https://ipv4.icanhazip.com
Source: disk-io.exe	String found in binary or memory: https://json.org
Source: disk-io.exe	String found in binary or memory: https://kite.com/python/docs/django.template.defaultfilters.pluralize
Source: disk-io.exe	String found in binary or memory: https://mahler:8092/site-updates.py
Source: disk-io.exe	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: disk-io.exe	String found in binary or memory: https://peps.python.org/pep-0205/
Source: disk-io.exe	String found in binary or memory: https://requests.readthedocs.io
Source: disk-io.exe	String found in binary or memory: https://requests.readthedocs.ioa__url__u2.32.3a__version__l
Source: disk-io.exe	String found in binary or memory: https://rocket.chat/docs/developer-guides/rest-api/miscellaneous/statistics/
Source: disk-io.exe	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: disk-io.exe	String found in binary or memory: https://stackoverflow.com/questions/5365451/problem-with-regexp-python-and-sqlite/5365533#5365533
Source: disk-io.exe	String found in binary or memory: https://tools.ietf.org/html/rfc1035
Source: disk-io.exe	String found in binary or memory: https://tools.ietf.org/html/rfc3696#section-2
Source: disk-io.exe	String found in binary or memory: https://www.calazan.com/python-function-for-displaying-a-list-of-dictionaries-in-table-format/
Source: disk-io.exe	String found in binary or memory: https://www.ibm.com/
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.11.4.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.11.4.htmlFu2011-01-20D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.7.8.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.7.8.htmlFu2008-01-24L
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.9.6.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.9.6.htmlFu2009-05-12D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.0.3.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.0.3.htmlFu2012-02-01D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.1.1.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.1.1.htmlFu2013-02-11D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.2.5.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.2.5.htmlFu2014-01-15D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.3.3.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.3.3.htmlFu2015-02-08D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.4.9.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.4.9.htmlFu2016-02-24D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.5.10.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.5.10.htmlFu2017-02-28D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.6.5.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.6.5.htmlFu2018-02-22D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.7.5.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.7.5.htmlFu2019-02-27D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2020-03-15D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2021-04-29D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2022-02-06D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2023-04-17D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.9.0.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.9.0.htmlFu2024-03-06D
Source: disk-io.exe	String found in binary or memory: https://www.python.org
Source: disk-io.exe	String found in binary or memory: https://www.python.org/
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#Connection.close
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#commit
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#connection-objects
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#cursor-objects
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#rollback
Source: disk-io.exe	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: disk-io.exe	String found in binary or memory: https://www.systutorials.com/how-to-find-the-disk-where-root-is-on-in-bash-on-linux/.

PE file contains more sections than normal

Source: disk-io.exe

Static PE information: Number of sections : 12 > 10

Source: disk-io.exe

Binary string: "\Device\HarddiskVolume1\Windows\systemew\file.txt"

Source: classification engine

Classification label: clean2.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03

Source: disk-io.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\disk-io.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started coroutinecan't send non-None value to a just-started generatorcan't send non-None value to a just-started async generatorcoroutine already executinggenerator already executingasync generator already executingcoroutine raised StopIterationgenerator raised StopIterationasync generator raised StopIterationcannot reuse already awaited coroutine%sasync generator raised StopAsyncIterationcapitalizecentercountdecodeendswithexpandtabsfindindexisalnumisalphaisdigitislowerisspaceistitleisupperjoinljustlowerlstrippartitionreplacerfindrindexrjustrpartitionrsplitrstripsplitsplitlinesstartswithstripswapcasetitletranslateupperzfillcasefoldencodeformatformat_mapisasciiisdecimalisidentifierisnumericisprintablemaketransclearcopyfromkeysgetitemskeyspoppopitemsetdefaultupdatevaluesappendextendinsertremovereversesort__nuitka_binary_dir__nuitka_binary_exe%s.__match_args__ must be a tuple (got %s)%s() accepts %d positional sub-pattern%s (%d given)__match_args__ elements must be strings (got %s)cannot create method %scompiled_methodfirst argument must be callableunbound methods must have non-NULL im_classCannot create compiled_ method from type '%s''async for' requires an object with __aiter__ method, got %s'async for' received an object from __aiter__ that does not implement __anext__: %s'async for' received an invalid object from __aiter__: %s.pydutf8PyInitU_%sPyInit_%simport %s # LoadLibraryExW("%S");
Source: disk-io.exe	String found in binary or memory: AIX ABI compatibility is described as guaranteed at: https://www.ibm.com/ support/knowledgecenter/en/ssw_aix_72/install/binary_compatability.html
Source: disk-io.exe	String found in binary or memory: Fused multiply-add.
Source: disk-io.exe	String found in binary or memory: z-HelpFormatter._join_parts.<locals>.<listcomp>&
Source: disk-io.exe	String found in binary or memory: r2rtz-HelpFormatter._join_parts.<locals>.<listcomp>&
Source: disk-io.exe	String found in binary or memory: - add_help -- Add a -h/-help option
Source: disk-io.exe	String found in binary or memory: name-addrc
Source: disk-io.exe	String found in binary or memory: angle-addrc
Source: disk-io.exe	String found in binary or memory: domain-literal-startr"
Source: disk-io.exe	String found in binary or memory: angle-addr = [CFWS] "<" addr-spec ">" [CFWS] / obs-angle-addr
Source: disk-io.exe	String found in binary or memory: obs-angle-addr = [CFWS] "<" obs-route addr-spec ">" [CFWS]
Source: disk-io.exe	String found in binary or memory: <z"expected angle-addr but found '{}'z
Source: disk-io.exe	String found in binary or memory: angle-addr-startr
Source: disk-io.exe	String found in binary or memory: angle-addr-startr
Source: disk-io.exe	String found in binary or memory: angle-addr-endz
Source: disk-io.exe	String found in binary or memory: null addr-spec in angle-addrz*obsolete route specification in angle-addrz.expected addr-spec or obs-route but found '{}'z"missing trailing '>' on angle-addr)
Source: disk-io.exe	String found in binary or memory: z, name-addr = [display-name] angle-addr
Source: disk-io.exe	String found in binary or memory: z!expected name-addr but found '{}'r5
Source: disk-io.exe	String found in binary or memory: z& mailbox = name-addr / addr-spec
Source: disk-io.exe	String found in binary or memory: address_list = (address *("," address)) / obs-addr-list
Source: disk-io.exe	String found in binary or memory: obs-addr-list = ([CFWS] ",") address ("," [address / CFWS])
Source: disk-io.exe	String found in binary or memory: no-fold-literal-startr
Source: disk-io.exe	String found in binary or memory: msg-id-startr
Source: disk-io.exe	String found in binary or memory: Request-started
Source: disk-io.exe	String found in binary or memory: Idle Req-started-unread-response
Source: disk-io.exe	String found in binary or memory: Request-started Req-sent-unread-response
Source: disk-io.exe	String found in binary or memory: Request-started _CS_REQ_STARTED None
Source: disk-io.exe	String found in binary or memory: Req-started-unread-response _CS_REQ_STARTED <response_class>
Source: disk-io.exe	String found in binary or memory: Request-startedz
Source: disk-io.exe	String found in binary or memory: on the spec/loader/reader.
Source: disk-io.exe	String found in binary or memory: '1.0.0.127.in-addr.arpa'
Source: disk-io.exe	String found in binary or memory: .in-addr.arpa)
Source: disk-io.exe	String found in binary or memory: z/Add filters to a filterer from a list of names.
Source: disk-io.exe	String found in binary or memory: --help / -h -- print this message and exit
Source: disk-io.exe	String found in binary or memory: --help / -h -- print this message and exit
Source: disk-io.exe	String found in binary or memory: --help)
Source: disk-io.exe	String found in binary or memory: --help)
Source: disk-io.exe	String found in binary or memory: -h/--help: print this usage message and exit
Source: disk-io.exe	String found in binary or memory: -h/--help: print this usage message and exit
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJ
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJ
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJrr
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJrr
Source: disk-io.exe	String found in binary or memory: --helpr
Source: disk-io.exe	String found in binary or memory: --helpr
Source: disk-io.exe	String found in binary or memory: utracing-stop
Source: disk-io.exe	String found in binary or memory: aPSUTIL_DEBUGLRaFREEBSDaBSDaLINUXaNETBSDaOPENBSDaMACOSaOSXaPOSIXaSUNOSaWINDOWSaCONN_CLOSEaCONN_CLOSE_WAITaCONN_CLOSINGaCONN_ESTABLISHEDaCONN_FIN_WAIT1aCONN_FIN_WAIT2aCONN_LAST_ACKaCONN_LISTENaCONN_NONEaCONN_SYN_RECVaCONN_SYN_SENTaCONN_TIME_WAITaNIC_DUPLEX_FULLaNIC_DUPLEX_HALFaNIC_DUPLEX_UNKNOWNaSTATUS_DEADaSTATUS_DISK_SLEEPaSTATUS_IDLEaSTATUS_LOCKEDaSTATUS_RUNNINGaSTATUS_SLEEPINGaSTATUS_STOPPEDaSTATUS_SUSPENDEDaSTATUS_TRACING_STOPaSTATUS_WAITINGaSTATUS_WAKE_KILLaSTATUS_WAKINGaSTATUS_ZOMBIEaSTATUS_PARKEDaENCODINGaENCODING_ERRSaAF_INET6apconnapcputimesapctxswapgidsapioapioniceapopenfileapthreadapuidsasconnascpustatsasdiskioasdiskpartasdiskusageasnetioasnicaddrasnicstatsasswapasuseraconn_tmapadeprecated_methodaisfile_strictamemoizeaparse_environ_blockapath_exists_strictausage_percentasupports_ipv6asockfam_to_enumasocktype_to_enumawrap_numbersaopen_textaopen_binaryacatabcatabytes2humanaconn_to_ntupleadebugahiliteaterm_supports_colorsaprint_colora__all__aLINUXaMACOSaOSXaFREEBSDaOPENBSDaNETBSDaBSDaSUNOSaAIXarunningaSTATUS_RUNNINGasleepingaSTATUS_SLEEPINGudisk-sleepaSTATUS_DISK_SLEEPastoppedaSTATUS_STOPPEDutracing-stopaSTATUS_TRACING_STOPazombieaSTATUS_ZOMBIEadeadaSTATUS_DEADuwake-killaSTATUS_WAKE_KILLawakingaSTATUS_WAKINGaidleaSTATUS_IDLEalockedaSTATUS_LOCKEDawaitingaSTATUS_WAITINGasuspendedaSTATUS_SUSPENDEDaparkedaSTATUS_PARKEDaESTABLISHEDaCONN_ESTABLISHEDaSYN_SENTaCONN_SYN_SENTaSYN_RECVaCONN_SYN_RECVaFIN_WAIT1aCONN_FIN_WAIT1aFIN_WAIT2aCONN_FIN_WAIT2aTIME_WAITaCONN_TIME_WAITaCLOSEaCONN_CLOSEaCLOSE_WAITaCONN_CLOSE_WAITaLAST_ACKaCONN_LAST_ACKaLISTENaCONN_LISTENaCLOSINGaCONN_CLOSINGaNONEaNIC_DUPLEX_FULLaNIC_DUPLEX_HALFaNIC_DUPLEX_UNKNOWNaIntEnuma__prepare__aNicDuplexa__getitem__u%s.__prepare__() must return a mapping, not %su<metaclass>upsutil._commona__module__a__qualname__a__orig_bases__aupdatea__members__l
Source: disk-io.exe	String found in binary or memory: ubind-address
Source: disk-io.exe	String found in binary or memory: u<QuEncoding wxu is larger than u - no representation in LengthEncodedIntegeruucompress and named_pipe arguments are not supporteda_local_infileaCLIENTaLOCAL_FILESuc:\my.iniaclientaParserareadaexpandusera_configuConnection.__init__.<locals>._configauserapasswordahostadatabaseasocketaportubind-addressudefault-character-setT

Source: unknown	Process created: C:\Users\user\Desktop\disk-io.exe "C:\Users\user\Desktop\disk-io.exe"
Source: C:\Users\user\Desktop\disk-io.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\disk-io.exe

Section loaded: python311.dll

Jump to behavior

Source: disk-io.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: disk-io.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: disk-io.exe

Static file information: File size 30182912 > 1048576

Source: disk-io.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13d9600
Source: disk-io.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x86c800

Source: disk-io.exe

Static PE information: More than 200 imports for python311.dll

Source: disk-io.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: disk-io.exe	Static PE information: section name: .eh_fram
Source: disk-io.exe	Static PE information: section name: .xdata

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: disk-io.exe	Binary or memory string: u/etc/vmware-release
Source: disk-io.exe	Binary or memory string: uVMware ESX
Source: disk-io.exe	Binary or memory string: aVMwareESX
Source: disk-io.exe	Binary or memory string: uVMware ESXl
Source: disk-io.exe	Binary or memory string: apathanameaallowemptyu/etc/vmware-releaseaVMwareESXtD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source: disk-io.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: disk-io.exe	String found in binary or memory: http://.../back.jpeg
Source: disk-io.exe	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: disk-io.exe	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: disk-io.exe	String found in binary or memory: http://docs.python.org/3/library/functools.html#functools.lru_cache.
Source: disk-io.exe	String found in binary or memory: http://goo.gl/fmebo.
Source: disk-io.exe	String found in binary or memory: http://goo.gl/zeJZl.
Source: disk-io.exe	String found in binary or memory: http://linuxdevcenter.com/pub/a/linux/2000/11/16/LinuxAdmin.html
Source: disk-io.exe	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: disk-io.exe	String found in binary or memory: http://serverfault.com/a/417946
Source: disk-io.exe	String found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: disk-io.exe	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: disk-io.exe	String found in binary or memory: http://www.crummy.com/software/BeautifulSoup/
Source: disk-io.exe	String found in binary or memory: http://www.crummy.com/software/BeautifulSoup/bs4/doc/
Source: disk-io.exe	String found in binary or memory: http://www.iana.org/assignments/character-sets
Source: disk-io.exe	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: disk-io.exe	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: disk-io.exe	String found in binary or memory: http://www.ibiblio.org/xml/examples/shakespeare/hamlet.xml)-r6
Source: disk-io.exe	String found in binary or memory: http://www.megginson.com/SAX/.
Source: disk-io.exe	String found in binary or memory: http://www.nightmare.com/squirl/python-ext/misc/syslog.py
Source: disk-io.exe	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: disk-io.exe	String found in binary or memory: http://wwwsearch.sf.net/):
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/namespacesz.http://xml.org/sax/features/namespace-prefixesz
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/features/string-interningz&http://xml.org/sax/features/validationz5http://xml.org
Source: disk-io.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: disk-io.exe	String found in binary or memory: https://1.2.3.4/api/v2/?resource=cpu
Source: disk-io.exe	String found in binary or memory: https://api.github.com/repos/
Source: disk-io.exe	String found in binary or memory: https://api.infomaniak.com
Source: disk-io.exe	String found in binary or memory: https://api.infomaniak.comT
Source: disk-io.exe	String found in binary or memory: https://arstechnica.com/civis/viewtopic.php?f=19&t=465002.
Source: disk-io.exe	String found in binary or memory: https://blog.famzah.net/2014/09/24/.
Source: disk-io.exe	String found in binary or memory: https://bootlin.com/blog/find-root-device/
Source: disk-io.exe	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1
Source: disk-io.exe	String found in binary or memory: https://dev.w3.org/html5/spec-LC/text-level-semantics.html#the-rp-element
Source: disk-io.exe	String found in binary or memory: https://dev.w3.org/html5/spec-LC/text-level-semantics.html#the-rt-element
Source: disk-io.exe	String found in binary or memory: https://developer.infomaniak.com/docs/api/get/1/swiss_backups
Source: disk-io.exe	String found in binary or memory: https://developer.infomaniak.com/docs/api/get/1/swiss_backups/%7Bswiss_backup_id%7D/slots/%7Bslot_id
Source: disk-io.exe	String found in binary or memory: https://developer.infomaniak.com/docs/api/get/2/events
Source: disk-io.exe	String found in binary or memory: https://docs.nodebb.org/api/
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/2/library/codecs.html#codec-base-classes
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/2/library/subprocess.html
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/3/library/datetime.html#strftime-and-strptime-format-codes
Source: disk-io.exe	String found in binary or memory: https://docs.python.org/3/library/socket.html
Source: disk-io.exe	String found in binary or memory: https://download.qnap.com/dev/API_QNAP_QTS_Authentication.pdf
Source: disk-io.exe	String found in binary or memory: https://downloads.apache.org/httpd/Announcement2.4.html
Source: disk-io.exe	String found in binary or memory: https://downloads.apache.org/httpd/Announcement2.4.htmlFu2012-02-21D
Source: disk-io.exe	String found in binary or memory: https://endoflife.date
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/apache.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/apache.jsonuhttps://endoflife.date/api/fedora.jsonuhttps://endoflife.date
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/example.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/fedora.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/fortios.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/gitlab.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/grafana.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/keycloak.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/mariadb.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/mysql.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/nextcloud.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/php.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/postfix.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/postgresql.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/python.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/redhat-build-of-openjdk.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/redis.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/rhel.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/solr.json
Source: disk-io.exe	String found in binary or memory: https://endoflife.date/api/wordpress.json
Source: disk-io.exe	String found in binary or memory: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
Source: disk-io.exe	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: disk-io.exe	String found in binary or memory: https://github.com/famzah/linux-memavailable-procfs/issues/2
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/blob/master/psutil/_common.py
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/1915).
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/906.
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/issues/966.
Source: disk-io.exe	String found in binary or memory: https://github.com/giampaolo/psutil/pull/1665
Source: disk-io.exe	String found in binary or memory: https://github.com/mpounsett/nagiosplugin/blob/master/nagiosplugin/range.py
Source: disk-io.exe	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: disk-io.exe	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: disk-io.exe	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: disk-io.exe	String found in binary or memory: https://github.com/surfer190/veeam/blob/master/veeam/client.py.
Source: disk-io.exe	String found in binary or memory: https://github.com/surfer190/veeam/blob/master/veeam/client.py.a__doc__a__file__a__spec__aoriginahas
Source: disk-io.exe	String found in binary or memory: https://github.com/ypcrts/fqdn/blob/develop/fqdn
Source: disk-io.exe	String found in binary or memory: https://github.com/zaibon/py-dmidecode).
Source: disk-io.exe	String found in binary or memory: https://gitlab.com/procps-ng/procps/blob/
Source: disk-io.exe	String found in binary or memory: https://gitlab.com/procps-ng/procps/issues/42
Source: disk-io.exe	String found in binary or memory: https://html.spec.whatwg.org/multipage/parsing.html#determining-the-character-encoding
Source: disk-io.exe	String found in binary or memory: https://html.spec.whatwg.org/multipage/parsing.html#parsing-with-a-known-character-encoding
Source: disk-io.exe	String found in binary or memory: https://httpbin.org/get
Source: disk-io.exe	String found in binary or memory: https://httpbin.org/post
Source: disk-io.exe	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: disk-io.exe	String found in binary or memory: https://ipecho.net/plain
Source: disk-io.exe	String found in binary or memory: https://ipinfo.io/ip
Source: disk-io.exe	String found in binary or memory: https://ipv4.icanhazip.com
Source: disk-io.exe	String found in binary or memory: https://json.org
Source: disk-io.exe	String found in binary or memory: https://kite.com/python/docs/django.template.defaultfilters.pluralize
Source: disk-io.exe	String found in binary or memory: https://mahler:8092/site-updates.py
Source: disk-io.exe	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: disk-io.exe	String found in binary or memory: https://peps.python.org/pep-0205/
Source: disk-io.exe	String found in binary or memory: https://requests.readthedocs.io
Source: disk-io.exe	String found in binary or memory: https://requests.readthedocs.ioa__url__u2.32.3a__version__l
Source: disk-io.exe	String found in binary or memory: https://rocket.chat/docs/developer-guides/rest-api/miscellaneous/statistics/
Source: disk-io.exe	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: disk-io.exe	String found in binary or memory: https://stackoverflow.com/questions/5365451/problem-with-regexp-python-and-sqlite/5365533#5365533
Source: disk-io.exe	String found in binary or memory: https://tools.ietf.org/html/rfc1035
Source: disk-io.exe	String found in binary or memory: https://tools.ietf.org/html/rfc3696#section-2
Source: disk-io.exe	String found in binary or memory: https://www.calazan.com/python-function-for-displaying-a-list-of-dictionaries-in-table-format/
Source: disk-io.exe	String found in binary or memory: https://www.ibm.com/
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.11.4.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.11.4.htmlFu2011-01-20D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.7.8.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.7.8.htmlFu2008-01-24L
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.9.6.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-2.9.6.htmlFu2009-05-12D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.0.3.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.0.3.htmlFu2012-02-01D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.1.1.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.1.1.htmlFu2013-02-11D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.2.5.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.2.5.htmlFu2014-01-15D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.3.3.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.3.3.htmlFu2015-02-08D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.4.9.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.4.9.htmlFu2016-02-24D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.5.10.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.5.10.htmlFu2017-02-28D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.6.5.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.6.5.htmlFu2018-02-22D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.7.5.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.7.5.htmlFu2019-02-27D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2020-03-15D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2021-04-29D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2022-02-06D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.8.6.htmlFu2023-04-17D
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.9.0.html
Source: disk-io.exe	String found in binary or memory: https://www.postfix.org/announcements/postfix-3.9.0.htmlFu2024-03-06D
Source: disk-io.exe	String found in binary or memory: https://www.python.org
Source: disk-io.exe	String found in binary or memory: https://www.python.org/
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#Connection.close
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#commit
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#connection-objects
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#cursor-objects
Source: disk-io.exe	String found in binary or memory: https://www.python.org/dev/peps/pep-0249/#rollback
Source: disk-io.exe	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: disk-io.exe	String found in binary or memory: https://www.systutorials.com/how-to-find-the-disk-where-root-is-on-in-bash-on-linux/.

PE file contains more sections than normal

Source: disk-io.exe

Static PE information: Number of sections : 12 > 10

Source: disk-io.exe

Binary string: "\Device\HarddiskVolume1\Windows\systemew\file.txt"

Source: classification engine

Classification label: clean2.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03

Source: disk-io.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\disk-io.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started coroutine
Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started async generator
Source: disk-io.exe	String found in binary or memory: can't send non-None value to a just-started coroutinecan't send non-None value to a just-started generatorcan't send non-None value to a just-started async generatorcoroutine already executinggenerator already executingasync generator already executingcoroutine raised StopIterationgenerator raised StopIterationasync generator raised StopIterationcannot reuse already awaited coroutine%sasync generator raised StopAsyncIterationcapitalizecentercountdecodeendswithexpandtabsfindindexisalnumisalphaisdigitislowerisspaceistitleisupperjoinljustlowerlstrippartitionreplacerfindrindexrjustrpartitionrsplitrstripsplitsplitlinesstartswithstripswapcasetitletranslateupperzfillcasefoldencodeformatformat_mapisasciiisdecimalisidentifierisnumericisprintablemaketransclearcopyfromkeysgetitemskeyspoppopitemsetdefaultupdatevaluesappendextendinsertremovereversesort__nuitka_binary_dir__nuitka_binary_exe%s.__match_args__ must be a tuple (got %s)%s() accepts %d positional sub-pattern%s (%d given)__match_args__ elements must be strings (got %s)cannot create method %scompiled_methodfirst argument must be callableunbound methods must have non-NULL im_classCannot create compiled_ method from type '%s''async for' requires an object with __aiter__ method, got %s'async for' received an object from __aiter__ that does not implement __anext__: %s'async for' received an invalid object from __aiter__: %s.pydutf8PyInitU_%sPyInit_%simport %s # LoadLibraryExW("%S");
Source: disk-io.exe	String found in binary or memory: AIX ABI compatibility is described as guaranteed at: https://www.ibm.com/ support/knowledgecenter/en/ssw_aix_72/install/binary_compatability.html
Source: disk-io.exe	String found in binary or memory: Fused multiply-add.
Source: disk-io.exe	String found in binary or memory: z-HelpFormatter._join_parts.<locals>.<listcomp>&
Source: disk-io.exe	String found in binary or memory: r2rtz-HelpFormatter._join_parts.<locals>.<listcomp>&
Source: disk-io.exe	String found in binary or memory: - add_help -- Add a -h/-help option
Source: disk-io.exe	String found in binary or memory: name-addrc
Source: disk-io.exe	String found in binary or memory: angle-addrc
Source: disk-io.exe	String found in binary or memory: domain-literal-startr"
Source: disk-io.exe	String found in binary or memory: angle-addr = [CFWS] "<" addr-spec ">" [CFWS] / obs-angle-addr
Source: disk-io.exe	String found in binary or memory: obs-angle-addr = [CFWS] "<" obs-route addr-spec ">" [CFWS]
Source: disk-io.exe	String found in binary or memory: <z"expected angle-addr but found '{}'z
Source: disk-io.exe	String found in binary or memory: angle-addr-startr
Source: disk-io.exe	String found in binary or memory: angle-addr-startr
Source: disk-io.exe	String found in binary or memory: angle-addr-endz
Source: disk-io.exe	String found in binary or memory: null addr-spec in angle-addrz*obsolete route specification in angle-addrz.expected addr-spec or obs-route but found '{}'z"missing trailing '>' on angle-addr)
Source: disk-io.exe	String found in binary or memory: z, name-addr = [display-name] angle-addr
Source: disk-io.exe	String found in binary or memory: z!expected name-addr but found '{}'r5
Source: disk-io.exe	String found in binary or memory: z& mailbox = name-addr / addr-spec
Source: disk-io.exe	String found in binary or memory: address_list = (address *("," address)) / obs-addr-list
Source: disk-io.exe	String found in binary or memory: obs-addr-list = ([CFWS] ",") address ("," [address / CFWS])
Source: disk-io.exe	String found in binary or memory: no-fold-literal-startr
Source: disk-io.exe	String found in binary or memory: msg-id-startr
Source: disk-io.exe	String found in binary or memory: Request-started
Source: disk-io.exe	String found in binary or memory: Idle Req-started-unread-response
Source: disk-io.exe	String found in binary or memory: Request-started Req-sent-unread-response
Source: disk-io.exe	String found in binary or memory: Request-started _CS_REQ_STARTED None
Source: disk-io.exe	String found in binary or memory: Req-started-unread-response _CS_REQ_STARTED <response_class>
Source: disk-io.exe	String found in binary or memory: Request-startedz
Source: disk-io.exe	String found in binary or memory: on the spec/loader/reader.
Source: disk-io.exe	String found in binary or memory: '1.0.0.127.in-addr.arpa'
Source: disk-io.exe	String found in binary or memory: .in-addr.arpa)
Source: disk-io.exe	String found in binary or memory: z/Add filters to a filterer from a list of names.
Source: disk-io.exe	String found in binary or memory: --help / -h -- print this message and exit
Source: disk-io.exe	String found in binary or memory: --help / -h -- print this message and exit
Source: disk-io.exe	String found in binary or memory: --help)
Source: disk-io.exe	String found in binary or memory: --help)
Source: disk-io.exe	String found in binary or memory: -h/--help: print this usage message and exit
Source: disk-io.exe	String found in binary or memory: -h/--help: print this usage message and exit
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJ
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJ
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJrr
Source: disk-io.exe	String found in binary or memory: helpz#use -h/--help for command line helprJrr
Source: disk-io.exe	String found in binary or memory: --helpr
Source: disk-io.exe	String found in binary or memory: --helpr
Source: disk-io.exe	String found in binary or memory: utracing-stop
Source: disk-io.exe	String found in binary or memory: aPSUTIL_DEBUGLRaFREEBSDaBSDaLINUXaNETBSDaOPENBSDaMACOSaOSXaPOSIXaSUNOSaWINDOWSaCONN_CLOSEaCONN_CLOSE_WAITaCONN_CLOSINGaCONN_ESTABLISHEDaCONN_FIN_WAIT1aCONN_FIN_WAIT2aCONN_LAST_ACKaCONN_LISTENaCONN_NONEaCONN_SYN_RECVaCONN_SYN_SENTaCONN_TIME_WAITaNIC_DUPLEX_FULLaNIC_DUPLEX_HALFaNIC_DUPLEX_UNKNOWNaSTATUS_DEADaSTATUS_DISK_SLEEPaSTATUS_IDLEaSTATUS_LOCKEDaSTATUS_RUNNINGaSTATUS_SLEEPINGaSTATUS_STOPPEDaSTATUS_SUSPENDEDaSTATUS_TRACING_STOPaSTATUS_WAITINGaSTATUS_WAKE_KILLaSTATUS_WAKINGaSTATUS_ZOMBIEaSTATUS_PARKEDaENCODINGaENCODING_ERRSaAF_INET6apconnapcputimesapctxswapgidsapioapioniceapopenfileapthreadapuidsasconnascpustatsasdiskioasdiskpartasdiskusageasnetioasnicaddrasnicstatsasswapasuseraconn_tmapadeprecated_methodaisfile_strictamemoizeaparse_environ_blockapath_exists_strictausage_percentasupports_ipv6asockfam_to_enumasocktype_to_enumawrap_numbersaopen_textaopen_binaryacatabcatabytes2humanaconn_to_ntupleadebugahiliteaterm_supports_colorsaprint_colora__all__aLINUXaMACOSaOSXaFREEBSDaOPENBSDaNETBSDaBSDaSUNOSaAIXarunningaSTATUS_RUNNINGasleepingaSTATUS_SLEEPINGudisk-sleepaSTATUS_DISK_SLEEPastoppedaSTATUS_STOPPEDutracing-stopaSTATUS_TRACING_STOPazombieaSTATUS_ZOMBIEadeadaSTATUS_DEADuwake-killaSTATUS_WAKE_KILLawakingaSTATUS_WAKINGaidleaSTATUS_IDLEalockedaSTATUS_LOCKEDawaitingaSTATUS_WAITINGasuspendedaSTATUS_SUSPENDEDaparkedaSTATUS_PARKEDaESTABLISHEDaCONN_ESTABLISHEDaSYN_SENTaCONN_SYN_SENTaSYN_RECVaCONN_SYN_RECVaFIN_WAIT1aCONN_FIN_WAIT1aFIN_WAIT2aCONN_FIN_WAIT2aTIME_WAITaCONN_TIME_WAITaCLOSEaCONN_CLOSEaCLOSE_WAITaCONN_CLOSE_WAITaLAST_ACKaCONN_LAST_ACKaLISTENaCONN_LISTENaCLOSINGaCONN_CLOSINGaNONEaNIC_DUPLEX_FULLaNIC_DUPLEX_HALFaNIC_DUPLEX_UNKNOWNaIntEnuma__prepare__aNicDuplexa__getitem__u%s.__prepare__() must return a mapping, not %su<metaclass>upsutil._commona__module__a__qualname__a__orig_bases__aupdatea__members__l
Source: disk-io.exe	String found in binary or memory: ubind-address
Source: disk-io.exe	String found in binary or memory: u<QuEncoding wxu is larger than u - no representation in LengthEncodedIntegeruucompress and named_pipe arguments are not supporteda_local_infileaCLIENTaLOCAL_FILESuc:\my.iniaclientaParserareadaexpandusera_configuConnection.__init__.<locals>._configauserapasswordahostadatabaseasocketaportubind-addressudefault-character-setT

Source: unknown	Process created: C:\Users\user\Desktop\disk-io.exe "C:\Users\user\Desktop\disk-io.exe"
Source: C:\Users\user\Desktop\disk-io.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\disk-io.exe

Section loaded: python311.dll

Jump to behavior

Source: disk-io.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: disk-io.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: disk-io.exe

Static file information: File size 30182912 > 1048576

Source: disk-io.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13d9600
Source: disk-io.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x86c800

Source: disk-io.exe

Static PE information: More than 200 imports for python311.dll

Source: disk-io.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

PE file contains sections with non-standard names

Source: disk-io.exe	Static PE information: section name: .eh_fram
Source: disk-io.exe	Static PE information: section name: .xdata

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: disk-io.exe	Binary or memory string: u/etc/vmware-release
Source: disk-io.exe	Binary or memory string: uVMware ESX
Source: disk-io.exe	Binary or memory string: aVMwareESX
Source: disk-io.exe	Binary or memory string: uVMware ESXl
Source: disk-io.exe	Binary or memory string: apathanameaallowemptyu/etc/vmware-releaseaVMwareESXtD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

ID:	1571440
Product:	CloudBasic
Start time:	11:47:35
Start date:	09.12.2024
Sample:	disk-io.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	debd16861b6996fea26c7573fe5f8458
SHA1:	30a964aacf1e5b9b2d3a56f7afdad874b8efc0e8
SHA256:	2293ffbbadadb3c8b2657312bd7bb1dbad648663f1b1fc6be41b295756c834a6
Filetype:	Win64 Executable (generic) (12005/4) 74.95%

Windows Analysis Report
disk-io.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report disk-io.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
disk-io.exe