Windows Analysis Report
tehtris_offline_forensic_2.6.0.0.exe

Compliance

Source: tehtris_offline_forensic_2.6.0.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: tehtris_offline_forensic_2.6.0.0.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Spreading

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: Yara match	File source: 00000003.00000003.1271581246.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1275516925.00000000065AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: tehtris_offline_forensic_2.6.0.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: sus23.winEXE@8/100@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI70442

Source: tehtris_offline_forensic_2.6.0.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

File read: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

Source: unknown	Process created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic logicaldisk get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get name
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic logicaldisk get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get name

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: pywintypes27.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: security.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: tehtris_offline_forensic_2.6.0.0.exe

Static PE information: certificate valid

Source: tehtris_offline_forensic_2.6.0.0.exe

Static file information: File size 15502144 > 1048576

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

Process created: "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcm90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.app_compat_cache.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32ui.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.psutil_xp.psutil._psutil_windows.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.prefetch.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\select.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32trace.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90u.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32security.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\pythoncom27.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32evtlog.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\pywintypes27.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90u.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32pipe.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\sqlite3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcr90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.recent_file_cache.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcp90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\python27.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pyd			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcm90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.app_compat_cache.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32ui.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.psutil_xp.psutil._psutil_windows.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.prefetch.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32trace.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\select.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90u.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32security.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\pythoncom27.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32evtlog.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90u.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32pipe.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcr90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.recent_file_cache.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcp90.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\python27.dll			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pyd			Jump to dropped file
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pyd			Jump to dropped file

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

Process information queried: ProcessInformation

Anti Debugging

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic logicaldisk get name
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get name

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09isgp VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\09isgp VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\__init__.py VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\dicts.dat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\embedded\yara\tehtris_enc.yar VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\embedded\yara\tehtris_enc.yar VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\entry_points.txt VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\entry_points.txt VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dwm.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dwm.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\winlogon.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\winlogon.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\lsass.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\lsass.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\fontdrvhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\fontdrvhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\wbem\WmiPrvSE.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\wbem\WmiPrvSE.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\spoolsv.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\spoolsv.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\conhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\conhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\backgroundTaskHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\backgroundTaskHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0510~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\ApplicationFrameHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\ApplicationFrameHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\conhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\conhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\sihost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\sihost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\ctfmon.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dasHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dasHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\explorer.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\svchost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0512~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation

Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid