Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tehtris_offline_forensic_2.6.0.0.exe

Overview

General Information

Sample name:tehtris_offline_forensic_2.6.0.0.exe
Analysis ID:1426616
MD5:b24e639470b5cc0a46baa9fec06504af
SHA1:9eed36e3dc36693372baeef8538d3024e75b8d79
SHA256:1448e64b1323ae0ee97bcd7d712f8cb3a501c7fa06fb486f15da3601f1fa0a09
Infos:

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Found pyInstaller with non standard icon
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Yara detected Keylogger Generic

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64_ra
  • tehtris_offline_forensic_2.6.0.0.exe (PID: 7044 cmdline: "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe" MD5: B24E639470B5CC0A46BAA9FEC06504AF)
    • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tehtris_offline_forensic_2.6.0.0.exe (PID: 6084 cmdline: "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe" MD5: B24E639470B5CC0A46BAA9FEC06504AF)
      • cmd.exe (PID: 7036 cmdline: C:\Windows\system32\cmd.exe /c wmic logicaldisk get name MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • WMIC.exe (PID: 2940 cmdline: wmic logicaldisk get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1271581246.00000000063BD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000003.00000003.1275516925.00000000065AA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: tehtris_offline_forensic_2.6.0.0.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: tehtris_offline_forensic_2.6.0.0.exeStatic PE information: certificate valid
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\
      Source: Yara matchFile source: 00000003.00000003.1271581246.00000000063BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.1275516925.00000000065AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: tehtris_offline_forensic_2.6.0.0.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
      Source: classification engineClassification label: sus23.winEXE@8/100@0/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442
      Source: tehtris_offline_forensic_2.6.0.0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile read: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      Source: unknownProcess created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic logicaldisk get name
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get name
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic logicaldisk get name
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get name
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: cryptsp.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: rsaenh.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: cryptbase.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: version.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: pywintypes27.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: secur32.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: sspicli.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: kernel.appcore.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: uxtheme.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: urlmon.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: iertutil.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: srvcli.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: netutils.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: sqlite3.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: mswsock.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: sfc.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: sfc_os.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: msimg32.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: netapi32.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: security.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: ntdsapi.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: logoncli.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: wbemcomn.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: amsi.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: userenv.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: profapi.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: sxs.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: iphlpapi.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: wtsapi32.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: powrprof.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: umpdc.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: napinsp.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: pnrpnsp.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: wshbth.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: nlaapi.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: dnsapi.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: winrnr.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: msasn1.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: gpapi.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeSection loaded: taskschd.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
      Source: tehtris_offline_forensic_2.6.0.0.exeStatic PE information: certificate valid
      Source: tehtris_offline_forensic_2.6.0.0.exeStatic file information: File size 15502144 > 1048576
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

      Persistence and Installation Behavior

      barindex
      Found pyInstaller with non standard icon
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcm90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.app_compat_cache.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32ui.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.psutil_xp.psutil._psutil_windows.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.prefetch.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\select.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32trace.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90u.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32security.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\pythoncom27.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32evtlog.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\pywintypes27.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90u.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32pipe.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\sqlite3.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcr90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.recent_file_cache.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcp90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\python27.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcm90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.app_compat_cache.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32ui.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.psutil_xp.psutil._psutil_windows.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.prefetch.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32trace.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\select.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90u.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32security.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\pythoncom27.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32evtlog.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90u.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32pipe.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcr90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.recent_file_cache.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\msvcp90.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\python27.dllJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pydJump to dropped file
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Config\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe "C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe"
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wmic logicaldisk get name
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic logicaldisk get name
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\09isgp VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\09isgp VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\__init__.py VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\dicts.dat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\embedded\yara\tehtris_enc.yar VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\embedded\yara\tehtris_enc.yar VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\entry_points.txt VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\entry_points.txt VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dwm.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dwm.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\winlogon.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\winlogon.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\lsass.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\lsass.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\fontdrvhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\fontdrvhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.3448.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\wbem\WmiPrvSE.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\wbem\WmiPrvSE.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\spoolsv.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\spoolsv.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\conhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\conhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\backgroundTaskHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\backgroundTaskHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0510~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\ApplicationFrameHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\ApplicationFrameHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\conhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\conhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\sihost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\sihost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\ctfmon.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dasHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dasHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\explorer.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\svchost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0512~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\dllhost.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeQueries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
      Source: C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		11
      Process Injection      		11
      Process Injection      		OS Credential Dumping1
      Process Discovery      		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      DLL Side-Loading      		LSASS Memory1
      File and Directory Discovery      		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager12
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      tehtris_offline_forensic_2.6.0.0.exe0%ReversingLabs
      tehtris_offline_forensic_2.6.0.0.exe0%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pyd1%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pyd2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pyd2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pyd2%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd1%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd0%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd0%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1426616
      Start date and time:2024-04-16 11:52:04 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsinteractivecookbook.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:17
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • EGA enabled
      Analysis Mode:stream
      Analysis stop reason:Timeout
      Sample name:tehtris_offline_forensic_2.6.0.0.exe
      Detection:SUS
      Classification:sus23.winEXE@8/100@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtCreateFile calls found.
      • Report size getting too big, too many NtCreateKey calls found.
      • Report size getting too big, too many NtEnumerateKey calls found.
      • Report size getting too big, too many NtOpenFile calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
      • Report size getting too big, too many NtReadFile calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\09isgp

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):4
      Entropy (8bit):2.0
      Encrypted:false
      SSDEEP:
      MD5:3F1D1D8D87177D3D8D897D7E421F84D6
      SHA1:DD082D742A5CB751290F1DB2BD519C286AA86D95
      SHA-256:F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
      SHA-512:2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
      Malicious:false
      Reputation:unknown
      Preview:blat

      C:\Users\user\AppData\Local\Temp\_MEI70442\Crypto.Cipher._AES.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):29184
      Entropy (8bit):7.038342557344039
      Encrypted:false
      SSDEEP:
      MD5:FBB6038B6EEB64F652DE7CFB7E43F3AF
      SHA1:FD7C184B4A08F6D6545FF06555316958852D10D5
      SHA-256:BCC1BBD3B42518C10B6A697C3AF1E57422EA60D4AFCE633FAAA2912F16B98A7B
      SHA-512:3EC1D4735EE6BA1E8CB64BAE19C6347E5B1A531233EC2688DE43E138CCE507ECC4D03878FE21562331B4D93F8A2BF87757C0E55105772ED13FBE8F544918CD55
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5...=...5...>...5...;...<.......5...3...5...=...5...=...Rich<...........................PE..L....R.X...........!.........D.......8.......@......................................................................0p..D....j..P...............................8...................................Pi..@............@...............................text...*-.......................... ..`.rdata..t0...@...2...2..............@..@.data...<............d..............@....reloc...............l..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\Include\pyconfig.h

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:C source, ASCII text
      Category:dropped
      Size (bytes):21321
      Entropy (8bit):5.345136937906198
      Encrypted:false
      SSDEEP:
      MD5:BC185DE8B2437963368A85FDD9852951
      SHA1:1459F1428214FCCA7F203FB3A3AFF28E16EB9C1B
      SHA-256:8B130D901E0F83B55699D565F103F2F8F1B3A51712EBB4B9646EA517CC1F04D6
      SHA-512:918469D9A59FE059F3C7C93F34C8D2D07CB8A9BF5E953A1527922ED5C65FF4A2DF50BBC78ED9CE146BF3A1FB6F1763F061262FA4A937BEEEE1FEB8A99E31339E
      Malicious:false
      Reputation:unknown
      Preview:#ifndef Py_CONFIG_H.#define Py_CONFIG_H../* pyconfig.h. NOT Generated automatically by configure...This is a manually maintained version used for the Watcom,.Borland and Microsoft Visual C++ compilers. It is a.standard part of the Python distribution...WINDOWS DEFINES:.The code specific to Windows should be wrapped around one of.the following #defines..MS_WIN64 - Code specific to the MS Win64 API.MS_WIN32 - Code specific to the MS Win32 (and Win64) API (obsolete, this covers all supported APIs).MS_WINDOWS - Code specific to Windows, but all versions..MS_WINCE - Code specific to Windows CE.Py_ENABLE_SHARED - Code if the Python core is built as a DLL...Also note that neither "_M_IX86" or "_MSC_VER" should be used for.any purpose other than "Windows Intel x86 specific" and "Microsoft.compiler specific". Therefore, these should be very rare....NOTE: The following symbols are deprecated:.NT, USE_DL_EXPORT, USE_DL_IMPORT, DL_EXPORT, DL_IMPORT.MS_CORE_DLL...WIN32 is still required for the

      C:\Users\user\AppData\Local\Temp\_MEI70442\Microsoft.VC90.CRT.manifest

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1050
      Entropy (8bit):5.375616908722781
      Encrypted:false
      SSDEEP:
      MD5:7D36F7F779B92DC3CF7B930F519005D1
      SHA1:B3995EA96A587F95F3AA0A68BF33790BFA1F1B32
      SHA-256:0B3C3E0DE20A553C59DFB19A23219D3526CE19EB2F6007315A987F4609A4D0BA
      SHA-512:E77ECFD2693B9576C07BA18823454C24987AFD6A22982B028813997176D33A75D22C511C61A7C4332F33331B262622EF4F75AAAF8CC456FCFDBB001E03646243
      Malicious:false
      Reputation:unknown
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <noInheritable/>.. <assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.30729.4974"/>.. <file hash="396c2d06afdf4f771acb775025ce85e8c86fb6bf" hashalg="SHA1" name="msvcr90.dll"/>.. <file hash="2fa7ce8cfa7b1d7c63169f70cfb62bd006f7d6ad" hashalg="SHA1" name="msvcp90.dll"/>.. <file hash="32c6abfca0ec816ed2f1ff81ce25eaec8176cd15" hashalg="SHA1" name="msvcm90.dll"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>..

      C:\Users\user\AppData\Local\Temp\_MEI70442\Microsoft.VC90.MFC.manifest

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1139
      Entropy (8bit):5.3684366346449774
      Encrypted:false
      SSDEEP:
      MD5:73FFAD4B600E1F7BC906C2B8C7CB9698
      SHA1:D2A460127ABD0703ED06FF480194F3417DC9A7E6
      SHA-256:F41FF4AADFB55C5FD77C821B3C256CF3C1300B452D580900D61A2EB2011052B0
      SHA-512:9018207448E77D2E71E7B3C700AD88DBB7DE35A94D9B2B0AB80D11C295E268AD19002106AC3593DCAC1B02F6A7C14F1F417D7550A4FFAB09868C39349A97C349
      Malicious:false
      Reputation:unknown
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <noInheritable/>.. <assemblyIdentity name="Microsoft.VC90.MFC" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.30729.4974"/>.. <file hash="2087b808d741797d1894690e0712bb94da62be08" hashalg="SHA1" name="mfc90.dll"/>.. <file hash="722710fe17690cd83a51a842e04976f26ca44d55" hashalg="SHA1" name="mfc90u.dll"/>.. <file hash="dec69dde636699f57922ab5ca7b8a4ff1dcf6eb4" hashalg="SHA1" name="mfcm90.dll"/>.. <file hash="4ab67ea9a03ec8347f354f73efdcf2b856d81abe" hashalg="SHA1" name="mfcm90u.dll"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8

      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imaging.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):936960
      Entropy (8bit):6.675206706090499
      Encrypted:false
      SSDEEP:
      MD5:566549D07D5F3803026FED48DE73D057
      SHA1:F9469A50B90BEB48C1DB5D02F5A295DE4D1B1868
      SHA-256:45AB36591C7A8AA48CD6AD69A5767658E1D45CAD65C50DC7551ED1284DB250D6
      SHA-512:673A4AD007F0B1E5545726FC9A0D74BFB4C16BDAE1DA5225FF2BB4D626668427A0E8525475393C95E05E3C5E2A553D5B57AA6A9EAF47F81B08B12E1575B5DDA5
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-...C]..C]..C]'..]..C]...]..C]...]..C]..B]x.C]...]..C]...]..C]...]&.C]...]..C]...]..C]Rich..C]................PE..L.....iX...........!.................................................................................................t..L....a..x............................ ...S...................................................................................text...:........................... ..`.rdata.............................@..@.data...X............j..............@....reloc...X... ...Z..................@..B................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._imagingtk.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):9216
      Entropy (8bit):5.3093734784850035
      Encrypted:false
      SSDEEP:
      MD5:56F715A424DEC6F9E7E8AD9F37F245CD
      SHA1:D11945A776A8D710F8E29F6AE2728656E1FAA6E5
      SHA-256:3F51982F3424D3B8571BA82553899A8856BE127905936858D873E088A0D91A5F
      SHA-512:94F45C9258F0563A054370830A0BDE4691F3612AD6D4DED1EC7FE1C3F554EC89FA1E5CF48B6C33C8FDF998D7EBE8F37750D668DC68C1BE430A7A4EE1C98460D8
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..f...5...5...5..b5...5..s5...5..d5...5...5:..5..t5...5..e5...5..f5...5Rich...5........PE..L.....iX...........!................v........ ...............................P...................................... &..P....!..d............................@....................................... ..@............ ...............................text............................... ..`.rdata..p.... ......................@..@.data........0......................@....reloc.. ....@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\PIL._webp.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):349184
      Entropy (8bit):6.736483891304412
      Encrypted:false
      SSDEEP:
      MD5:4F77109EDC58FFBD8EDD1FCDBDC6FDEB
      SHA1:FF63D7E5DCD96E37F7EBBBE2FE0871AC41685AB3
      SHA-256:7FA530310E9B450B369ADE3EC61DB6035D812670211B76A6F5549A42D3F8F083
      SHA-512:9190C4BA0A9E13881A9940F885ACE8F51DD278F249EB5156D0FA79C959444453D08F5F845F8F8C5F018C9BAC9ED5CD903085732A41F496941A44E9214B162524
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 1%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V.l...l...l....@..l....Q..l....F..l...l...l....V..l....G..l....D..l..Rich.l..........PE..L.....iX...........!................;................................................................................J..F....D..P............................p.......................................C..@............................................text............................... ..`.rdata...z.......|..................@..@.data........P.......8..............@....reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_bsddb.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1107968
      Entropy (8bit):6.769727775082088
      Encrypted:false
      SSDEEP:
      MD5:FBBE22703A414108592FCDA677180685
      SHA1:E1834417AD43BED217196811983E29F03510FECF
      SHA-256:26C3A47D199D15A897A0FBD6CAD6AAE4438C4267C1255319ACA6A5B77CC3B6CD
      SHA-512:96550CE81EA1FE930B769A453519045C6357C622C2DDB8C5423B2EE872734D0B768AF823A6A1B4B287F2D01DE3159D6497937D509EA5C85E8362876AC72C1CBC
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`..u3..u3..u3...3..u3...3..u3...3..u3..t3C.u3...3..u3...3u.u3...3..u3...3..u3Rich..u3................PE..L....DqW...........!.........B...............................................0.......-....@..........................d.._....S..x...............................Hw...................................R..@...............h............................text...j........................... ..`.rdata..............................@..@.data....#...p.......L..............@....rsrc................h..............@..@.reloc..,y.......z...n..............@..B................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_cffi_backend.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):119808
      Entropy (8bit):6.5618571058390796
      Encrypted:false
      SSDEEP:
      MD5:82A30D623A3ACD1B09842CD6DE6C3B80
      SHA1:A83B0739D5A6D043079FB3501522F218EBFD617F
      SHA-256:35DDAD9934B5B95E66B6F9F0686AE11647F716C384CA3D37D6D433F1D1CE93B0
      SHA-512:ED8C1865D966CB3AF115554D4CBB70FF1451A83F66A93F03D68D8A9D8445F90C82246EA817BF66ED488D3664D5D7E66B6FE35BA65BEC71EFEEBB59A723BED2E4
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.............................................................................Rich....................PE..L...5.'X...........!................!........0......................................................................0K..V....7..P...............................l....................................6..@............0..P............................text............................... ..`.rdata.......0......................@..@.data........P.......2..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_ctypes.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):93184
      Entropy (8bit):6.497795473929825
      Encrypted:false
      SSDEEP:
      MD5:D905E2BD20BFEF742C727526724513C8
      SHA1:96972EB304C7A5F4A435F250943B8A8BFC0B0A6E
      SHA-256:1C13F80E6D8F532BCC73E85F654B5506E36ADB335A8D62F34E0FB559A73F3E03
      SHA-512:7944CD6077510C30520C849FA7AAF787601AE6D01E1FFCC51A71C322ED4A2091DE4DD8C651573A8D42474963028A2A5892038C19565693373C19293BBB834101
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................F.....W.....P......@..........Z.....A.....B...Rich..................PE..L...#DqW...........!.........~......................................................!s....@......................... ?.......*..x....p..........................\...................................h)..@...............l............................text............................... ..`.rdata...?.......@..................@..@.data...l"...@... ..................@....rsrc........p.......N..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_hashlib.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1014784
      Entropy (8bit):6.841096025901925
      Encrypted:false
      SSDEEP:
      MD5:60923CA118D9AE2D101BFA83AF673EF4
      SHA1:B3829A3BC9963003475707C1D156ED7FB32343D6
      SHA-256:2DEAACB11BB4F7EF3D4AF8B0139F5F00431AD5582D27AAD891BDA04AC7B8038A
      SHA-512:480DFD3C1BAF0BCE57A9337370039F0D286A9B8378C24BE8E46E819EDA2C09C0C60B17D4F4898674E884D89CAB9C3ADB0C4B77D7C3990903EB308764D3137ABA
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.$.>.J.>.J.>.J.7..4.J.7..1.J.7..<.J.7..3.J.>.K...J.>.J...J.7..Y.J.7..?.J.7..?.J.Rich>.J.........PE..L...iDqW...........!.....n...........q....................................................@.............................L...,........0.......................@..<...p...................................@...............P............................text....l.......n.................. ..`.rdata..\............r..............@..@.data...........T..................@....rsrc........0......................@..@.reloc......@......................@..B................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_socket.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):48128
      Entropy (8bit):6.550794854150774
      Encrypted:false
      SSDEEP:
      MD5:E9E69710C55905D81E6550BCDD920C0C
      SHA1:C587AE96CEBD01302CFFDD056EFEF5AF7E847898
      SHA-256:9DFEBB691489CF004FB41E42C0D4E0FF35DFB614B4E8806D3F2822859E3D4B06
      SHA-512:F6F308A423587EC4D41632B5D65848FDEAF3F7E2CF354D256325C247C6550BF6236D9ED3FD00926F46D98A1A0C250ABBD7B1EC97B78A01C5C9B416317F1756A3
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AV2..7\..7\..7\..O..7\..O..7\..O..7\..7]..7\..O..7\..O..7\..O..7\..O..7\.Rich.7\.........................PE..L...IDqW...........!.....\...\.......d.......p......................................m5....@............................d...L...d...............................|...`r..............................(...@............p..@............................text....[.......\.................. ..`.rdata..4 ...p..."...`..............@..@.data...x*.......(..................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_sqlite3.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):51712
      Entropy (8bit):6.4946641123978575
      Encrypted:false
      SSDEEP:
      MD5:F5ABEFC5A6A75698FE62B127F74009EA
      SHA1:4694CF6FBB0A71CD35FDFFA5AD2E46B033DB35BA
      SHA-256:9664A08BF79E9F58CA18DDF4639923E7F6931E1EBE1FA881C9EAFEEBB7602031
      SHA-512:DD9B016AFB839919D120B29FEA8D18BA0ACE8CD0C1FFCAD94914BE405AB17EB195952434FF3CDB5BE6D6FBB80FEDA58F21214B991EC477057D0F5D248C3908FB
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9W..X9..X9..X9.. ...X9.. ...X9.. ...X9.. ...X9..X8.<X9.. ...X9.. ...X9.. ...X9.Rich.X9.........................PE..L...EDqW...........!.....p...V.......x..............................................u.....@.........................`...L.......d...................................P...............................`...@...............0............................text....o.......p.................. ..`.rdata...0.......2...t..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_ssl.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1405952
      Entropy (8bit):6.844168786190902
      Encrypted:false
      SSDEEP:
      MD5:C9A372919D9939890846824B5EB470E2
      SHA1:C9BB64D76E83DB556F0AE6353EDB867F2A9CC84F
      SHA-256:D08440CE5833A606F7AA141F8BB4285A2609CDD7A07F83E5156DA27265C345E0
      SHA-512:E16DA4F6D6D24EAB9A61A88E52CEC10E5E41F7D97AA13806796230F2A36AED140CAE64117857A29B4086F2E25303B8448A5A99E36E16E029FAFE98D56F6BA6FB
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g......g......g......g...g...g...f.5.g......g......g......g......g.Rich..g.........PE..L...\DqW...........!................d...............................................A.....@.............................D....................................... .......................................@............................................text............................... ..`.rdata..T...........................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_testcapi.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):42496
      Entropy (8bit):6.524339001483802
      Encrypted:false
      SSDEEP:
      MD5:A5B15057599E5106D3534BDF4DFDFC40
      SHA1:28EF6279EA8759519971FD009B150BE455782925
      SHA-256:676FF20E3FAD016CEB925D3BBF2BB7D46FA0514E0DBB54B27C3AEADCAD51F167
      SHA-512:9107C8A642149966AF99CE33DB087078F0D69F6954761A69FEF06253DC7C0374F5F2216FBB24BC9CB5E675E8141C61ECA0FB4839C35E0E7738DA51C10D4A98C0
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{h..?..?..?..6qA.=..6qW.1..6qP.=..6qG.8..?.....6q].>..6qF.>..6qE.>..Rich?..........................PE..L....DqW...........!.....V...L.......`.......p......................................<<....@.............................N...\...P....................................r..............................P...@............p...............................text....U.......V.................. ..`.rdata.../...p...0...Z..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\_win32sysloader.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):7168
      Entropy (8bit):5.061610175097613
      Encrypted:false
      SSDEEP:
      MD5:EF42FE45A4B8CE4C956211E2A3C94135
      SHA1:08A5A3BA8CAEFD60A7AF3A88B89BFD078777CD3C
      SHA-256:1674BFA40FE422A2AF5BED6FA7CF29B5279E95FFC153B8F831786F84DF17D31A
      SHA-512:3D64803DB37CDB52F8878B8BFFD9385F319A0D751D302114ADAAD7DA415CB3338A933B474C0837A0A7222CEBD526486181B1D6A8941BE389DE645395538DD4A2
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.QP1.?.1.?.1.?..UD.3.?./...3.?./...0.?./...<.?.8..2.?.1.>...?./...2.?./...0.?./...0.?.Rich1.?.................PE..L......T...........!......................... ....;..........................P......................................`&..Z...l"..P............................@....... ..............................8!..@............ ...............................text...`........................... ..`.rdata....... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\bz2.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):72704
      Entropy (8bit):6.752427751594252
      Encrypted:false
      SSDEEP:
      MD5:BF66BCB5FCD3E23E96F2D67E55E99609
      SHA1:F0F6FCA75B5300C405A2F14CF0BFEE9EDAEFFAB5
      SHA-256:BA7EEA63CE9F7E982F78EF86349ADC0BFA3C72662BEBC40ECA51887D2195A234
      SHA-512:3D2FAE9B7CDAF3DAE110AD79D6A4C5F212F00CD6A06D3EECB8BA2DA4915B6F80D84306D04367332300EE49F0532E5EFB1FC893CACCC689D4C18AF7B2E863A138
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 2%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.S.9.=K9.=K9.=K..K:.=K0..K:.=K0..K7.=K0..K;.=K0..K>.=K9.<KS.=K0..K1.=K0..K8.=K0..K8.=KRich9.=K................PE..L...4DqW...........!.........R......l........................................P.......S....@.............................B...L...P....0.......................@......................................H...@............................................text...6........................... ..`.rdata.."...........................@..@.data...P'.......$..................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\DESCRIPTION.rst

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):2180
      Entropy (8bit):4.818015898522134
      Encrypted:false
      SSDEEP:
      MD5:C6D5FCC9264CCFA43D1D21FF8CCA29BA
      SHA1:4958985BA01E851597DB9FB1CEF736211DEB2DBE
      SHA-256:5A997B38D234F6E35DF12568B9EAF6CF6DF6132E567973699353FD963639F357
      SHA-512:1AF72E8F6859923A29D3C1ECC0D7CE3EBD7C63D498BB450CB93B290322112A463AF5E5157886D3C35D3313F1DD955AB558D03E5B66C6ADC295B3BF240AD1F93B
      Malicious:false
      Reputation:unknown
      Preview:Cryptography.============.... image:: https://img.shields.io/pypi/v/cryptography.svg. :target: https://pypi.python.org/pypi/cryptography/. :alt: Latest Version.... image:: https://readthedocs.org/projects/cryptography/badge/?version=latest. :target: https://cryptography.io. :alt: Latest Docs.... image:: https://travis-ci.org/pyca/cryptography.svg?branch=master. :target: https://travis-ci.org/pyca/cryptography.... image:: https://codecov.io/github/pyca/cryptography/coverage.svg?branch=master. :target: https://codecov.io/github/pyca/cryptography?branch=master...``cryptography`` is a package which provides cryptographic recipes and.primitives to Python developers. Our goal is for it to be your "cryptographic.standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 2.6+...``cryptography`` includes both high level recipes, and low level interfaces to.common cryptographic algorithms such as symmetric ciphers, message digests and.key derivation functions. For ex

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\INSTALLER

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):4
      Entropy (8bit):1.5
      Encrypted:false
      SSDEEP:
      MD5:365C9BFEB7D89244F2CE01C1DE44CB85
      SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
      SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
      SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
      Malicious:false
      Reputation:unknown
      Preview:pip.

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\METADATA

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4714
      Entropy (8bit):5.087313118307497
      Encrypted:false
      SSDEEP:
      MD5:F635D03D405A3F8284DDB9C17E9C09B2
      SHA1:123A8A5BAA07AF9A570B2BBB1270B55E51A03C4E
      SHA-256:19B221E2DCF8978A80AC487A0264941926596C10C227097D08A6AAEA38163233
      SHA-512:76C74B3F5AC7D8FFDF077BBC79CB4DED096DB91178382320BCC93AD52B35677CE0933EBB15CC85640E753459D44A8F85AFF988151D75B7E78A713504F9ABAA01
      Malicious:false
      Reputation:unknown
      Preview:Metadata-Version: 2.0..Name: cryptography..Version: 1.7.2..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Home-page: https://github.com/pyca/cryptography..Author: The cryptography developers..Author-email: cryptography-dev@python.org..License: BSD or Apache License, Version 2.0..Platform: UNKNOWN..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating System :: POSIX :: BSD..Classifier: Operating System :: POSIX :: Linux..Classifier: Operating System :: Microsoft :: Windows..Classifier: Programming Language :: Python..Classifier: Programming Language :: Python :: 2..Classifier: Programming Language :: Python :: 2.6..Classifier: Programming Language :: Python :: 2.7..Clas

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\RECORD

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:CSV text
      Category:dropped
      Size (bytes):11621
      Entropy (8bit):5.59286242988929
      Encrypted:false
      SSDEEP:
      MD5:41C422EAFB27ED5519840A07DBE8D1A3
      SHA1:5AAF1DEFFCA2782E730C436AE9295D97E800FB2B
      SHA-256:2742A1B4F43D504D516BC0A1EA3652ADA3ECAC1299759054659EB95C1B295461
      SHA-512:415BA3D6123BD61A9E5E480EB03BD6859759C123FEAEECB104A2456BEA0FCB6A0C312BCB1814E3ADDD092EB9C6624901AB40A36CC2D2DB322EE27917EB236C62
      Malicious:false
      Reputation:unknown
      Preview:cryptography/__about__.py,sha256=6pmKu57JU-gRRaeO9-iwW71x8sHSzgAr2QbfXaP4a_4,817..cryptography/__init__.py,sha256=NiBm3Qj07gEmyagrxoqVFqbhG-elC3kRqrqd76oyk9g,829..cryptography/exceptions.py,sha256=3DJSu6GT5l5yVqu8SHKODGZp_s66s_nZokxAgPyws-0,1234..cryptography/fernet.py,sha256=pjelLdt3wUxhokwtMJJpXeD5EcIeNHIMIjx_xfryMJQ,4305..cryptography/utils.py,sha256=GHNDnLj_4-LkUEmiNqoOYNYC8D-YLhKTduKcDWj3nRY,3919..cryptography/hazmat/__init__.py,sha256=hEPNQw8dgjIPIn42qaLwXNRLCyTGNZeSvkQb57DPhbs,483..cryptography/hazmat/backends/__init__.py,sha256=9el6UkOjpXtg8iptCqcXVz4vJAVJoi9CR-qEXQCX7Rk,2215..cryptography/hazmat/backends/interfaces.py,sha256=KuDIJres247LqxT8vNpTFZmkjVnHqEtpHdUJ8ZTMx1I,10279..cryptography/hazmat/backends/multibackend.py,sha256=2xMfHYOaJ0pIBubx7Vza2YapAlmEM_eyKWfF_yOUveU,19378..cryptography/hazmat/backends/commoncrypto/__init__.py,sha256=aihmGquS6-l9Bcx6W8-nPO7BbpBlFg86IjPMIOKtJDk,341..cryptography/hazmat/backends/commoncrypto/backend.py,sha256=_d671KFoz3PQ3n-PelHjc5GA3d9aRZiOzN

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\WHEEL

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):102
      Entropy (8bit):5.037696671172031
      Encrypted:false
      SSDEEP:
      MD5:2EB2AEE706A9AC3169B884948F3EC4B4
      SHA1:8638B4EEBBFC6B422F2F5EA391C6E20DEBE7F16F
      SHA-256:0C92881787D76213B916F2ABE3BBCC14F9C0F3CDAFD6C7A2AB5DD24B51536CCE
      SHA-512:19B83B67B7CFD422AF6385CA2F94093D4C834C7148BC88EA2C7D4A78977B1D468C23B3213D05ADAFD315CBFD3CC35398531A13D315F185F6AC7F976053209E13
      Malicious:false
      Reputation:unknown
      Preview:Wheel-Version: 1.0..Generator: bdist_wheel (0.29.0)..Root-Is-Purelib: false..Tag: cp27-cp27m-win32....

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\entry_points.txt

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):80
      Entropy (8bit):4.421562083645507
      Encrypted:false
      SSDEEP:
      MD5:B597306FD773EFDFA5CBB84CEEC6FF61
      SHA1:E06DA897C6DCB4F55F903F4C8C991E92AEDD5BD3
      SHA-256:686E234ACA692B9B06937B09F3C0C642C5F16EC79C8BD30DE5981B63D54ABF29
      SHA-512:5B1B0423CF5DA0D56744BDE158F2C93356FE6ED4804622FB6CE48D6A8DEBE821F7CFACB1B1AA5D08CB4AAC265CDD140F69EDDC3BBF2D86A76DCA3E2DB28294B7
      Malicious:false
      Reputation:unknown
      Preview:[cryptography.backends].openssl = cryptography.hazmat.backends.openssl:backend..

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\metadata.json

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:JSON data
      Category:dropped
      Size (bytes):2233
      Entropy (8bit):5.048485649819386
      Encrypted:false
      SSDEEP:
      MD5:2F531BF3B6FE7E3DF854458CA5DE3A01
      SHA1:43BD59641D054840707DC3BAD8DC9BDCE8999AF4
      SHA-256:6932090D6A8D995C273143199791322D4F9F955223CA868455209A8797EC43D6
      SHA-512:DA5191B62E29C59608036B6B02522546391E6CDCFE3B926AB344CCD9C3529147B5F93B22A8269780EE646F981EE35330D80C97DD9BC350B75B2EC209A6A8097A
      Malicious:false
      Reputation:unknown
      Preview:{"classifiers": ["Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "License :: OSI Approved :: BSD License", "Natural Language :: English", "Operating System :: MacOS :: MacOS X", "Operating System :: POSIX", "Operating System :: POSIX :: BSD", "Operating System :: POSIX :: Linux", "Operating System :: Microsoft :: Windows", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: Implementation :: CPython", "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Security :: Cryptography"], "extensions": {"python.details": {"contacts": [{"email": "cryptography-dev@python.org", "name": "The cryptography developers", "role": "author"}], "document

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography-1.7.2-py2.7.egg-info\top_level.txt

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):46
      Entropy (8bit):4.039547553742005
      Encrypted:false
      SSDEEP:
      MD5:DDD9B5640A3051BCB8CA132EB1B2FB1B
      SHA1:23FD1DEA71D84FFA4AAFDB08B23C0E80996150DD
      SHA-256:402918404E07241A6A22BF9A06A6CE67BD0D95F6DE8CA9C313A3836CD814C308
      SHA-512:CBB7A7E3AB55E16EA7F07630D182EC7240CE49B7DC90E606C60B7BC515270E8EC07D8FCE9C4E98F80FB47B7F75C3C5E4A8E87A4FF7A934D1950F93B4D415420A
      Malicious:false
      Reputation:unknown
      Preview:_constant_time._openssl._padding.cryptography.

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._constant_time.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):7168
      Entropy (8bit):5.21489975199494
      Encrypted:false
      SSDEEP:
      MD5:9D540C85296B5D53EBE125630CDFC751
      SHA1:D49D747B74ABD37E5FBB4F3EC798581CAD633A54
      SHA-256:BE276C239429DD2F61D39868157A0165CCBB2F5767DBB63D8ED6ABA01AEDA241
      SHA-512:E58998EB1F0302F7948B94C88E9D76BAEC7DA1150CEC714B5DD1FD2BF4D6A078B14F52C67AFBC0EEBD614527315F9A3488C9B5073E4F9056094D4AD8D72B234A
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6X{.r9..r9..r9..{A..q9..{A..p9..{A..u9..r9..Z9..{A..}9..{A..s9..{A..s9..Richr9..................PE..L...>e.X...........!................G........ ...............................P............@..........................&..X....!..P............................@..h....................................!..@............ ...............................text............................... ..`.rdata..h.... ......................@..@.data...t....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\cryptography.hazmat.bindings._openssl.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):1828864
      Entropy (8bit):6.801194860825362
      Encrypted:false
      SSDEEP:
      MD5:B0E32C0A5179314CE7267ECB8E62270F
      SHA1:8B548976F143451970EC72AE9A695BC837917B38
      SHA-256:87DD440077260CC9D2A70CA5273D71DA242F667C0ACC24F5DA2B830597A2CC54
      SHA-512:A6EAD6F0D01A9D790B7853F6E7838B5502319FE7AE98A8FAA2E1DC9D2FB000BC3E0B9DABBC707E15C830212189FD3088C64A72637572829EAF94093DB487A9D6
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 1%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}....`...`...`..d....`..d..`..d..`...a...`...`...`..j...`..d..`..d..`..d..`.Rich..`.........................PE..L...>e.X...........!.........,......{........................................@............@.........................0...L.......................................e.....................................@............................................text...=........................... ..`.rdata..|...........................@..@.data...............................@....reloc..`{.......|...l..............@..B........................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\embedded\yara\tehtris_enc.yar

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:Award BIOS Logo, 136 x 126
      Category:dropped
      Size (bytes):6021
      Entropy (8bit):7.963714028792397
      Encrypted:false
      SSDEEP:
      MD5:F64C34B7EF9FFEE5FB5F90A5382CAC7C
      SHA1:3AAD1D84BABD612EE86B6B773C836B47DB42C681
      SHA-256:4EBE5F3FB26495893A2AB899E0AB67F71BB7069D4869875029CF4DD8B2F312F9
      SHA-512:197F6BA11DDB72203E927C0EE4B2877468930D0FC6E83B8C28B7254A672AA79F357B9A2240B7F586703CCD68A9C5DD0BB15D5C80E52E0522AFC76055B22D8B28
      Malicious:false
      Reputation:unknown
      Preview:....(..A6...7../..?a..<.|....i..*...*..V..."V.>jTj;.c.._..%.-.t..k.....e..d.0.g.O.6....pFo.....e..H....;A.VP......!).L..GNY. /..S|}^.o..r..N)B.:x.x.p....y.[P.$1...H..J.l.4.O.....F...2...]J..&.'Q...\....A.d.........=?..R..~K......_...G...*..ne..O.<9.f..[[2p....._d.M:.XL."._..../`zI..6GZB.Uu.5.....[...=o.F.A..+?.. ....R,...Q;......U...B.Z&2Z1S...2..B..O.P.L..........vn..f..~X.M..6..<....!.".7...0.......(R..Qj-.|..9......\Lm.Z.q*..%Fl..c.HK..>..y.qO*....&>..h.....":..q..T.VV.X..u..8g.........{h.6...T...G.io..2...V...'e..>..&..4.).g...<oo3....".T...*|"..Hol.6S.....U........W.7.D...c..jws(.Y.:...?.-.)S..n......:..wY..."..].+3...S.d...<..i...u...D.G....C...7.B.A:..Jz.....].W......!.x.|...j. 0.2....B..&J....R....=...`.^".FvU....%.~.U.j..m.......S...%..wn...GR.o.....hh|.....'G....._I.r.....Q.n..&/.m2.f..~4$|.VP!.J....y'2.k..I.9...>..e!....u/..52..mK...1.{Ce...[.....V!.e.E.!.:...P..i.p...B...u..d...............g...%P...vkX6..quo....-.F8#E...$.i

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.advanced.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):112128
      Entropy (8bit):6.421209039784287
      Encrypted:false
      SSDEEP:
      MD5:F92DCCE84AFFB72DE0A0D548F5B37164
      SHA1:22F575999A7483FBBAEAA5F43FCB5B07036BFD12
      SHA-256:D8A672E9AEC95DB4059EABC85BB7588E27901A19D87080F941D109335F00EA55
      SHA-512:2DF00BFF8D712871A6A5A123972971C5A6C502B37ADC1BA28A6B6630EE18E8494853F7ABF7462049E9407A0FDC524AD6FD981A5CEA5B66D69C9168EF789CDAF2
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY..NY..NY..G!j.LY..G!{.LY..G!l.IY..NY...Y..G!|.AY..G!m.OY..G!n.OY..RichNY..........................PE..L......^...........!.....J...p.......T.......`...................................................................... {..L...Ln..P................................'...................................m..@............`..$............................text....I.......J.................. ..`.rdata..l....`.......N..............@..@.data...<)......."...j..............@....reloc...(.......*..................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.autostarts.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):28160
      Entropy (8bit):6.031592270925895
      Encrypted:false
      SSDEEP:
      MD5:F0A9410C8AB7672157F7CA2CA67DABC3
      SHA1:225B8E57D2F2E29CC898E7376DDF5D391E11FE0E
      SHA-256:0F6F4546467FF1D93475B48EDC95C0CD379540A29B775331E07AEF288E796BA3
      SHA-512:37ACEE146EE3D7BB4192E1DDA9791263E3A2E0EA195E266D16FB953B26C5D8D2419936F79141411717608FA62F9EBF43D0F280576098BB58196EEFD6A816C327
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.z.<i..<i..<i..5...=i..5...>i..5...;i..<i..[i..5...3i..5...=i..5...=i..Rich<i..................PE..L......^...........!.....B...,.......K.......`.......................................................................n..P...|d..P...............................t....................................c..@............`...............................text...*@.......B.................. ..`.rdata.......`.......F..............@..@.data...d....p.......V..............@....reloc...............d..............@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.browsers_scan.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):72192
      Entropy (8bit):6.235311188900963
      Encrypted:false
      SSDEEP:
      MD5:26B568DFC3F235962A935AF70C5B6E64
      SHA1:D9677F62BD20B3DF19D2D735E65CE71906BC563D
      SHA-256:8A4AFB5C35F7DBA4C1B850B543B273ABBA1EA735D5F2C26A3F4BF0589255D1B3
      SHA-512:B0A6D68C4699FD1A732E8897F955B6A8267C8DD7F00A84C3AE48E2BAE13A7C7DDB64EF0CEF2BA6AFE2C01720CCAECD71B709F43514C1F128DED74F89A98D2E41
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<i..<i..<i..5...=i..5...>i..5...;i..<i..Ui..5...3i..5...=i..5...=i..Rich<i..................PE..L......^...........!.........J...............................................P......................................`...V...,...P............................0......................................`...@............................................text...*........................... ..`.rdata..............................@..@.data...l...........................@....reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.chrome.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):111616
      Entropy (8bit):6.393962397625901
      Encrypted:false
      SSDEEP:
      MD5:F9EBF2FA522093116FB8495A98980524
      SHA1:13D02CF48B534E20F5564479E4464CE819684FFF
      SHA-256:BF9713883EDFC893446EA6EA6382B249B55F6F49A8967274075E4DD9BB3E1B68
      SHA-512:795B578FCF34AEFCF4792A7E31ADE3930FD964EE244DA41B7D63878EFBAC4074ED4CA8247DE3DAC4E2FF49F7B79F8F127C2A5AA0AE6826E47D6BE26BEFD91597
      Malicious:false
      Antivirus:
      • Antivirus: ReversingLabs, Detection: 0%
      • Antivirus: Virustotal, Detection: 0%, Browse
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<m..<m..<m..5...=m..5...>m..5...;m..<m..Fm..5...3m..5...=m..5...=m..Rich<m..........................PE..L......^...........!.....R...d.......[.......p......................................................................`...H....z..P...............................`#...................................y..@............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...T%....... ...n..............@....reloc..:$.......&..................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.firefox.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):188416
      Entropy (8bit):6.4305010940571705
      Encrypted:false
      SSDEEP:
      MD5:4463BFA2CA9B47076CD6D41E108324B6
      SHA1:56B1B7141EB239319F52FD0F1BCE7A0312683B3E
      SHA-256:8911FCFCF6B0579150F392620DEAEFD84AA8EFCA8A2F004ABFF5278AB4F16C99
      SHA-512:1A76EE6EB3BBB43DD013CFFD467F48195214558CCDC983C8F759E4D6BFBFB51327D998625A6FB134F7B7FF3A1661FAB7867C4B338D465AEC2F9618AD7355F902
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY.NY.NY.G!R.LY.G!C.LY.G!T.IY.NY..Y.G!D.AY.G!U.OY.G!V.OY.RichNY.................PE..L......^...........!.....N...........X.......`.......................................................................~..J....q..P................................=..................................0q..@............`...............................text...*M.......N.................. ..`.rdata.......`... ...R..............@..@.data...D5...........r..............@....reloc...>.......@..................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.ie.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):104448
      Entropy (8bit):6.403565031396433
      Encrypted:false
      SSDEEP:
      MD5:363A1B51EB026D9A357FC2A45DB375FC
      SHA1:DDE35FAA82B257AAA91838D134F09E8294245CAF
      SHA-256:EAF8263F1310C62C4787C05DD8BE92B2247DA411825DF02B8EE7CC556A5D6B1C
      SHA-512:5F40E31B2656EC04E9E2FA80BCD1635D4E4777B9D4F0F18E36D194AE96A18445CCE3EEA4072AFF6477296EDD8AEA5580069C9A62C31B94323581030D838C637F
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*8..nY..nY..nY..g!*.lY..g!;.lY..g!,.iY..nY...Y..g!<.aY..g!-.oY..g!..oY..RichnY..................PE..L......^...........!.....<...^.......F.......P......................................................................pg..@....\..P...............................4!..................................X[..@............P...............................text....;.......<.................. ..`.rdata.......P.......@..............@..@.data...L#...p.......X..............@....reloc..."......."...v..............@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.misc.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):148480
      Entropy (8bit):6.4559297217011435
      Encrypted:false
      SSDEEP:
      MD5:D29890A4CAE3775FA31EE3C47A756CDA
      SHA1:6024EBF2792512DB1DB4238C7CCBDD70FEBCF444
      SHA-256:95CE27439EC01DC9DD30F67EE1791371018C9F47CBF602ABC0C813F057F39AC9
      SHA-512:A24B086CE651D2698CEB35DF5F438FFC959E8F83E17F0CA5725A547DF89A3316DEA9BCBD9C50DE78254A82AE0993679228B0CFC5CA8F5B54A7ACEB51EC4047C0
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY..NY..NY..G!*.LY..G!;.LY..G!,.IY..NY...Y..G!<.AY..G!-.OY..G!..OY..RichNY..................PE..L......^...........!.........................................................p..........................................D...<...P............................@...-..................................p...@...............0............................text............................... ..`.rdata..............................@..@.data....1.......*..................@....reloc.......@...0..................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.opera.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):127488
      Entropy (8bit):6.385367048777922
      Encrypted:false
      SSDEEP:
      MD5:C10EF85F3BAEE0AA3EFEAE394C86C33C
      SHA1:73A723C344FFC18996A3CFA1E32970A95851EF64
      SHA-256:96B6B4BFD070CD0CAA3FB28D411DAD27E6616FCDD73FBF7E55336809BFF68CBD
      SHA-512:E400695DB3CB0C839EA32413716B49EC098ECAF1574C808EE74E4C5E26B31644AD3441C05EBECA58DAC4599E036469245F740661189CF8265BD1503547A75283
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<i..<i..<i..5...=i..5...>i..5...;i..<i...i..5...3i..5...=i..5...=i..Rich<i..........................PE..L......^...........!.........n......_........................................ ..........................................F......P................................(......................................@............................................text...z........................... ..`.rdata..V...........................@..@.data...<).......$..................@....reloc...(.......*..................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.optimizejars.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):99328
      Entropy (8bit):6.430005118693343
      Encrypted:false
      SSDEEP:
      MD5:F64B6CC4EC3B74A490C879A4C0010857
      SHA1:7040F8742DC66E620D9B012614A34345588DAA1F
      SHA-256:D770724D172AA8BDE783687CF0E533C7F2EA5991003044EA412EE3CBC51B35D1
      SHA-512:290401DED569E5A7F4A6EB4CC3D97FACC95281533489BDD240F38C74426C545C616F86B2053F5C7E1536329C454ABBC8C4AB7953B75A631111A0AC72FBB1EA5C
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY..NY..NY..G!*.LY..G!;.LY..G!,.IY..NY...Y..G!<.AY..G!-.OY..G!..OY..RichNY..................PE..L......^...........!....."...f.......,.......@.......................................................................W..T....J..P................................"...................................J..@............@..0............................text...:!.......".................. ..`.rdata..4....@.......&..............@..@.data....&...`... ...@..............@....reloc...#.......$...`..............@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.browsers_scan.regkey.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):64512
      Entropy (8bit):6.388477119744748
      Encrypted:false
      SSDEEP:
      MD5:7E79456D57CFEF3F8BB6560DEF8659B0
      SHA1:033FE10023858CC8FFBD6EA20D519A8F68CDD7F3
      SHA-256:41CD71CF98204DE7023E131801D98925B890C2B510062BA67D6BFFA71356C79C
      SHA-512:EC16F30CD99322E49251D85CF128DEF6935AC0815BC2CB25DE8B7490C7EFAD180C0B1BC270460AA37738B6BDF8F52148A82E80FF20FDF5431955C2D538F6F230
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<j..<j..<j..5...=j..5...>j..5...;j..<j..Dj..5...3j..5...=j..5...=j..Rich<j..........................PE..L......^...........!.........H......4........................................0...................................... ...H...|...P...............................8.......................................@............................................text...J........................... ..`.rdata..h...........................@..@.data...<...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.config.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):37376
      Entropy (8bit):6.050080731883013
      Encrypted:false
      SSDEEP:
      MD5:226D7573C619FD9D8530485B168CE26B
      SHA1:C5FA4BB6BB6B5E4EA76722EE6839C4223E5D5A67
      SHA-256:FE1278069FCF3B2DCE55BA89640A8A9D9B35B79D4F05B4FCCB142408BC691402
      SHA-512:3B4505D4C1374A4A1EB630DA2930AFB45D346548C73506798E30D1196F1E1A01C3CDBC13A89E5F5940D1D2B6B4287955D0DB8A38E71E3AA6BF3D36C5748A1A10
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<k..<k..<k..5...=k..5...>k..5...;k..<k..ek..5...3k..5...=k..5...=k..Rich<k..................PE..L......^...........!.....N...H......DW.......`......................................................................`z..H....q..P....................................................................p..@............`..p............................text...ZL.......N.................. ..`.rdata.......`.......R..............@..@.data................n..............@....reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.disk.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):121344
      Entropy (8bit):6.41518889933716
      Encrypted:false
      SSDEEP:
      MD5:FC25FEAC7569F19EDFE425BEC5E68F35
      SHA1:459346E08EFAFC64E34B351C8639F2898E6B013B
      SHA-256:577F80830225C3EBB8C997C0181234C70F4ED2E518501097E499AC4BA0AA35EF
      SHA-512:C99007A0CF4A156676DE746E96B8D16096D9D45731E68BBC9EAF32AB5CB18E2389176A5EFC7BE1D9B5B0EBC908FF1290F0A472945146E21EDA1A06CA8CD35129
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*8..nY..nY..nY..g!*.lY..g!;.lY..g!,.iY..nY...Y..g!<.aY..g!-.oY..g!..oY..RichnY..................PE..L......^...........!.....h...v......{r..................................................................................D.......P...............................((.....................................@...............`............................text....g.......h.................. ..`.rdata..T............l..............@..@.data...l........(..................@....reloc...).......*..................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.eof.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):147968
      Entropy (8bit):6.402938516007533
      Encrypted:false
      SSDEEP:
      MD5:F7A270C450FB39D1231A2DBCC0E6DE37
      SHA1:3E0682979027BB4C7BAF867E697CBCAB35F7911A
      SHA-256:76CE36756F240AB49E649A8DD2C1714BF60678060A49AD437DBD614BF39EC707
      SHA-512:04D9203D3E41F3F00835837537D3A83B5F79343840338DA69C116C0700A3428B5067AE43F54716D5DC0B9A466FFCCB601B09E6C7501586A8DBBD18D621489B92
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<...<...<...5...=...5...>...5...;...<...B...5...3...5...=...5...=...Rich<...........................PE..L......^...........!.........................................................p..........................................B.......P............................0...7......................................@............................................text.............................. ..`.rdata...$.......&..................@..@.data....-.......&..................@....reloc...7...0...8..................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):37888
      Entropy (8bit):6.306665638065492
      Encrypted:false
      SSDEEP:
      MD5:E60DFA51A57F042CB50E2F0AB3F029FE
      SHA1:5F0D13AA4BAAC767F0C8FA2B2D2F3B44EEDFB698
      SHA-256:AD7264DAA45D987245CB6A61FB4B96A47C4C75DB0A099F86282E82980D2FBBD4
      SHA-512:5DFD16BB5063CE398DD12FBD97C8D05AB0728E07D5659388351F32228F5B9EDA185F31A18DBD5703432FFE5DB583FAA2DE92EA7982CCF0E5B0992E4A16EDB748
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY..NY..NY..G!*.LY..G!;.LY..G!,.IY..NY..&Y..G!<.AY..G!-.OY..G!..OY..RichNY..........................PE..L......^...........!.....b...2......;l..................................................................................L...\...P...............................p.......................................@............................................text...Za.......b.................. ..`.rdata...............f..............@..@.data................v..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.amcache.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):128000
      Entropy (8bit):6.406165667882317
      Encrypted:false
      SSDEEP:
      MD5:4208804645BEA91594E678339B3873EF
      SHA1:D55DA0D95CDB6A2770CBE4158A79AABC1815F3E6
      SHA-256:3249E00CAE36F76429DA4336AB2618A397A986FBAE677D6590A4D6BB691ED027
      SHA-512:17D45BFC98159DAF71C9D15F9ADA868AF058AEEEBCB06D3A9407E4D4424513C093C34F09A7166A4FFDED72BACBD416C82D20179315C6624E3E574E7683FBA6B6
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<i..<i..<i..5.1.=i..5. .>i..5.7.;i..<i...i..5.'.3i..5.6.=i..5.5.=i..Rich<i..........................PE..L......^...........!.....~...z.........................................................................................J...,...P...............................D+..................................h...@............................................text....|.......~.................. ..`.rdata..............................@..@.data....,.......&..................@....reloc...,..........................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.app_compat_cache.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):147968
      Entropy (8bit):6.4623646493196025
      Encrypted:false
      SSDEEP:
      MD5:A6191DD023CC1FF455B1FA8004B3A6A2
      SHA1:D4BA7CE1625593A09730E5A513440CA93517A5AE
      SHA-256:3DCA0A2CCDBB191A407E7D0EC7FCA8DC91FA65807187058F58CDC7DF1208E197
      SHA-512:5BC154FFB6B41B4280FA731AD4E8C54A644F5666A02ABA30FA05D50C1F8774BF5F76820906D4145536F4A89DF6B4765CDD089C0CC8FE895AD8BA498B39A4E389
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................U.......D.......S.........3.....C.......R.......Q.....Rich....................PE..L......^...........!.........|...............................................p..........................................\...l...P............................0..L1......................................@...............0............................text............................... ..`.rdata..............................@..@.data...|,.......&..................@....reloc..F2...0...4..................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.prefetch.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):73728
      Entropy (8bit):6.339986881655648
      Encrypted:false
      SSDEEP:
      MD5:4D71C0975D2CA9F87CDFA33A0609957B
      SHA1:DB8C16B188179F3AF6DAF22ACC708C8BED60325C
      SHA-256:EA8D0A0B6DA713A0F39E14F56A958A2F5C594E897483369862EE64575002D634
      SHA-512:047683388B7B97B47E9B29BA3FC5B5ADD1741754E908E7D2C65D8B4B6CFA81E335E197CE79022F014EE8BE6F5CDCC4C2DAAD16F563847E103F292E87A9B14B92
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6X{.r9..r9..r9..{A..q9..{A..p9..{A..u9..r9...9..{A..}9..{A..s9..{A..s9..Richr9..................PE..L......^...........!.........J...............................................P..........................................L.......P............................0..........................................@...............,............................text............................... ..`.rdata..............................@..@.data...|...........................@....reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.recent_file_cache.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):6.284345532475225
      Encrypted:false
      SSDEEP:
      MD5:04EE4E187C3476BBC76012B086B9B2D6
      SHA1:2E24E1DC54AF3ED9332910D2501A1DE14E21B1EA
      SHA-256:B2DAB2CCD146CD1599C8DC9EFD09A94A9A7601B78FA544E5BDEA5015A364929A
      SHA-512:4F3C878C9DF4319471657B7DC168FBD0039F1F55B0B8273EBFCEF42F90DB8CD43009B1575FE2FFFDDF621C8BEAB53144E32BEEFA3F6045D87B00A82CC7DAD357
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..N]..N]..N]..G%*.L]..G%;.L]..G%,.I]..N]..4]..G%<.A]..G%-.O]..G%..O]..RichN]..........................PE..L......^...........!.....R...0......;[.......p..........................................................................^....t..P...................................................................(t..@............p...............................text...ZP.......R.................. ..`.rdata.......p.......V..............@..@.data...<............h..............@....reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):45568
      Entropy (8bit):6.251448661506351
      Encrypted:false
      SSDEEP:
      MD5:540C77D6C5642C32B71F29F747961A07
      SHA1:380FA0F16D2F81CA6B7010BE7BE1BF8A022B6B06
      SHA-256:05438A8CD15A2E004B2A56C0B7730359FE34B355948974376A0FDCC2AF445F53
      SHA-512:D60D150D7FCF674186D71A14DA114CB51A09D86199218166DCF82DC25C217EAB36C18EF5A4D9F9705D83BDA1AB8B9BAE2E26AC5FE9980419865E7505A8EB1B7D
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\i..\i..\i..U...]i..U...^i..U...[i..\i..)i..U...Si..U...]i..U...]i..Rich\i..................PE..L......^...........!.....x...:..........................................................................................L...,...P...............................x...................................h...@............................................text....v.......x.................. ..`.rdata...............|..............@..@.data...............................@....reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_file.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):444928
      Entropy (8bit):6.543989582605182
      Encrypted:false
      SSDEEP:
      MD5:705CCEE9A12ADF583DF54271DA5F63EC
      SHA1:71D29864429E3A97AA39133743C38551B6DD44E8
      SHA-256:FE3C64C96A7E6D776E9C6FB53A4FB00151145C4585DFE0A261CF15EC99298BA0
      SHA-512:59B1EF59355E0178BAA262CEFF5575A623ABA110291C3147FA6343502ABEA25EBF558C5ADC505EAB9E54C49F62814864909587AB65CEAFC1E71F0F7CA7D66671
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY.NY.NY.G!R.LY.G!C.LY.G!T.IY.NY..Y.G!D.AY.G!U.OY.G!V.OY.RichNY.................PE..L......^...........!.....`...z......ki.......p...................................................................... ...V...|...P............................P..........................................@............p...............................text....^.......`.................. ..`.rdata..v2...p...4...d..............@..@.data...4...........................@....reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_live.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):43008
      Entropy (8bit):6.328854722149623
      Encrypted:false
      SSDEEP:
      MD5:1D15EC5BE64BEA5C7D147C6B1775D5D7
      SHA1:AA2AFA3219067DFC435435106A22E4FA0EE016B4
      SHA-256:6B5EF1A0C3320E1F06DD275C78E36FAA37568D86FD5C6D3194E7E0837D956C40
      SHA-512:9EEC62743401842BA1F28B9D1DF43C55E086933D4E531376F95B13E18119191D191346E73E1DF94976A508324647F4AD74210D7BEAD859925E6EFC6EF631410B
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...!*..Y...!;..Y...!,..Y...Y...Y...!<..Y...!-..Y...!...Y..Rich.Y..................PE..L......^...........!.....r...8......[{..............................................................................@...V.......P......................................................................@............................................text...zp.......r.................. ..`.rdata...............v..............@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.registry_tracks.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):81408
      Entropy (8bit):6.370671966450294
      Encrypted:false
      SSDEEP:
      MD5:1C53BAC1AEA43F918DD1598F7B5747A1
      SHA1:53C28BF43B4C7BB99D97F6814C3E8E943E03A147
      SHA-256:EC1CC0A17D2EBE49A8D9F15E21DBC9BE9EC8C7BCC39DDBCC00B9562EA6672A2D
      SHA-512:2A893DBCDF94EAB36268F09FD15EC60CBD171E3DC47C80FC43164C4D83C64E3AF2A9F3EEBBF7191E08808C408A69F94860A03011805D6EF9925E2D4948AA83BC
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<i..<i..<i..5...=i..5...>i..5...;i..<i...i..5...3i..5...=i..5...=i..Rich<i..........................PE..L......^...........!.........X......G........................................p..........................................Z.......P............................P..........................................@............................................text...Z........................... ..`.rdata..............................@..@.data...t"... ......................@....reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.forensic_scripts.volume_shadow_copy.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):35840
      Entropy (8bit):6.274525012072884
      Encrypted:false
      SSDEEP:
      MD5:886495B6CF9E86D695896515A2D92724
      SHA1:E8D44F1539100BB1FA31C5D697C4A3FB1CC72D16
      SHA-256:37CDBA1AB3F52053B89D715F298CC0B240A5F1FA3067606268F8F6AA02C42B1A
      SHA-512:1A419F037BFC93428DAF3AD31481E22ED8724CCB74303A925FB0A7FCB7335693A97146578AFE19FCBF1EBD6EF9B85C965CAFBF85DAB5F3EE1CD6DA1D138765AC
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<i.<i.<i.5.A.=i.5.P.>i.5.G.;i.<i.Zi.5.W.3i.5.F.=i.5.E.=i.Rich<i.........................PE..L......^...........!.....Z...2......)d.......p......................................................................p...`....u..P....................................................................t..@............p...............................text...:Y.......Z.................. ..`.rdata.......p.......^..............@..@.data................n..............@....reloc..n...........................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Address.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):62976
      Entropy (8bit):6.328065824250149
      Encrypted:false
      SSDEEP:
      MD5:A6F132733C65DFC6874D7A763A6595B7
      SHA1:EB566FCF4134A7A051F63E20C0829CB370437404
      SHA-256:04A13630486F189CCD1CA3F7DF4A128ED24F301BDB0DCD56193F8DED23B0D97B
      SHA-512:CA8EA6249A87CF84B7B210C6A9431AA5CAD79F55798FCB5930518A330B036FDE3FB9C84F8A02A62DCF05A2286B2201E2986E88A6C1492305A7E013E987B01F6F
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\i..\i..\i..U...]i..U...^i..U...[i..\i..)i..U...Si..U...]i..U...]i..Rich\i..................PE..L......^...........!.........P..............................................0......................................@...J.......P...............................H...................................0...@............................................text............................... ..`.rdata..............................@..@.data.... ..........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.BaseProcess.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):46080
      Entropy (8bit):6.375886554189573
      Encrypted:false
      SSDEEP:
      MD5:5BCC219BF259D59B80307427D0AAC329
      SHA1:F074B58D20F97655413C398697627AE0B80ABCB5
      SHA-256:A061C87DF4C0290B8F3020B7E54B12A6A9C011E133C0BC5EDF350B9E7CB7AB47
      SHA-512:0E6B30320E386A090CF018AAAA7A62513753EC06847E90B1E51487FDB7FE8E3EE756A84D972CC6E0A311FADAFE84CB11F0E4CC9D2CC54CA6C8F98A0994AFF217
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<k..<k..<k..5...=k..5...>k..5...;k..<k..Ek..5...3k..5...=k..5...=k..Rich<k..................PE..L......^...........!.....v...@........................................................................................R.......P...................................................................X...@............................................text....u.......v.................. ..`.rdata.."............z..............@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Locator.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):48128
      Entropy (8bit):6.322866798850283
      Encrypted:false
      SSDEEP:
      MD5:A9D91F161CDD06946416AD13B695A58B
      SHA1:812026CFDD5EBA0B3AD99636EF1730933DB3441E
      SHA-256:D5C342636887C42C7BD0A302D165870D52C21949783C590A15CFF2CBB132AECC
      SHA-512:529D08E54D862B1B69290206A10E67302FC3DFE41B213B0251FA70269A2AAE1CC1DBCB2C421E1CE521EC590EA432F4BDD8AB3B41B96974A15D38E26A6B5C20D2
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<m..<m..<m..5...=m..5...>m..5...;m..<m..Fm..5...3m..5...=m..5...=m..Rich<m..........................PE..L......^...........!.........<..........................................................................................J......P.......................................................................@............................................text....~.......................... ..`.rdata..............................@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.MemWorker.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):104960
      Entropy (8bit):6.466899722209181
      Encrypted:false
      SSDEEP:
      MD5:CF58094C752009A9D72A2A08B9B5CB1E
      SHA1:A32AE4E91A6186DBFFA58921E7FA8A68A7B08189
      SHA-256:DBDBA14562848E376336BB2580EC25BF3729EA61538128336E415A8907B5E63C
      SHA-512:600A2436206B5FF9A3F32A2DB97F66F06E8DAFD62C79587DDC9C57DF06195DF8ED6FF39A830D5C4B4CA304E211DB5C0496A8C55D401A95A9007F43DE7325B4E5
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY.NY.NY.G!J.LY.G![.LY.G!L.IY.NY..Y.G!\.AY.G!M.OY.G!N.OY.RichNY.................PE..L......^...........!.....0...n......K9.......@......................................................................`Y..N....I..P...............................T!...................................H..@............@...............................text...j........0.................. ..`.rdata.......@.......4..............@..@.data...<....`...(...N..............@....reloc..`".......$...v..............@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.Process.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):14336
      Entropy (8bit):5.848127179924235
      Encrypted:false
      SSDEEP:
      MD5:32086DA3AFDF537E5DB3D5B15938B9AB
      SHA1:A2F3D9AE5A5D4E31DF2537E7AA14E8E997D924BD
      SHA-256:58330C9D0E6784CEDE75210D7433D45F6D1CC05C76727505AE7387C0B96947C9
      SHA-512:9072EC639DA2C796A7A6A46EDE883643E149E459B534416877CAD44FD43DA97FCCCE802CD276AEB3CDEB9253F68903C09D814209F6691E7AAAF835D5AC11D544
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@i..@i..@i..I...Ai..I...Bi..I...Gi..@i...i..I...Oi..I...Ai..I...Ai..Rich@i..................PE..L......^...........!................K'.......0...............................`.......................................:..J....2..P............................P.......................................1..@............0..T............................text...j........................... ..`.rdata.......0......."..............@..@.data...t....@......................@....reloc.......P.......2..............@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinProcess.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):148992
      Entropy (8bit):6.490350461623646
      Encrypted:false
      SSDEEP:
      MD5:F82C561B621B6B02C8B254E4FF7E255A
      SHA1:E04B8F6B19B80EEBA28438A6085BA421D6F9E210
      SHA-256:A5F7B1D9609EBB4EF4BAC3A7345270667533CDB603DF7F68C1ED188F9AC6BBEC
      SHA-512:3CAE61629C6E65E560C75093A2C03832910E2CA277CEDE9A65849294222D34924DBF44C4D69C951CCC1CCFD1A31381414C15C0D9D84D8E521AD0ADD327424ECA
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........N..N..N..G.*.L..G.;.L..G.,.I..N.....G.<.A..G.-.O..G...O..RichN..................PE..L......^...........!................;........................................p..........................................P...l...P............................0..44......................................@............................................text...Z........................... ..`.rdata... ....... ..................@..@.data....8.......2..................@....reloc..J5...0...6..................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.WinStructures.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):61952
      Entropy (8bit):6.213521072820622
      Encrypted:false
      SSDEEP:
      MD5:F6B9288A5ECE3426AC9B4A95EA0C9151
      SHA1:FA5BAA712700F0223D8AEBBB146D1B9F926D1166
      SHA-256:8706DFAE2A1502DE0267CDA7188AF23491C1B4FADDD645293C934CA01F8B14C9
      SHA-512:B9076CE4213E2B5AEF9ADAD36C00B20355A4EDB7924AC3858CB98F8EA199A8266786F08C78D7CEE448008AA4D665079967A88F1C5BA14F837389DB56C95FF4B4
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8Q.NY?.NY?.NY?.G!..LY?.G!..LY?.G!..IY?.NY>.)Y?.G!..AY?.G!..OY?.G!..OY?.RichNY?.................PE..L......^...........!.........D............................................... ......................................@...V...<...P...............................p...................................x...@............................................text...*........................... ..`.rdata..............................@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.structures.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):13312
      Entropy (8bit):5.95774592017594
      Encrypted:false
      SSDEEP:
      MD5:EC1E8BD487577C274EA8E3C8588CB1D7
      SHA1:B51D7F4C405165CF03DC4164EC28327300DEB41B
      SHA-256:872D188C64CD499D684812B128C282D95DA55DCC5645E0526E823BA8D4EE7F58
      SHA-512:C66532BEDC0CB978414833F4C2D365D7897E8CC153C1C496EF39877B80E9F651BBB2D73A4F272DDB1712B02798D0C5F094497E65909A1835971DE62BD749E142
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@i..@i..@i..I...Ai..I...Bi..I...Gi..@i...i..I...Oi..I...Ai..I...Ai..Rich@i..................PE..L......^...........!.................%.......0...............................`.......................................:..P....2..P............................P..H....................................1..@............0..T............................text............................... ..`.rdata.......0....... ..............@..@.data...<....@.......,..............@....reloc.......P.......0..............@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memorpy.utils.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):49152
      Entropy (8bit):6.370824695484224
      Encrypted:false
      SSDEEP:
      MD5:46D8A3C9FD7C87F7DF58D30D055A1061
      SHA1:2574A332B113E92D7BCA18B2D1141E2F1AD85DEF
      SHA-256:6CE3E2671B5FF391845673A3D1F027289A7B2919B2E7A9E8D01C6664EEAE5AC4
      SHA-512:7480ED365C1389C7E40DA73EBED15457D3E4A2DA44379D5599DB4EC548F61D106AD195508AD5B0A22E003BE753CD10D8B46C202449B9BC52FECE72C499B56BD8
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................U.......D.......S.........6.....C.......R.......Q.....Rich............................PE..L......^...........!.........<......}...................................................................................F.......P......................................................................@...............<............................text............................... ..`.rdata..V...........................@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.memscan.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):70144
      Entropy (8bit):6.3736066953123505
      Encrypted:false
      SSDEEP:
      MD5:86ECFA1314D3AA5E3BB6A5B1559532D8
      SHA1:E3088D871845110FF829BA110182325094A0FDE2
      SHA-256:30D8E93D909DE926743E0E9731149F61F4F6523A6C6DFCE1EC3D90F4653654A9
      SHA-512:3A1361F08DB0B52AE8810D9068A53C2B1CF585DF5A3E8664D741D449BB86795A21B78FAE9BCF9CF4E7A124353B4E7351D53392BDBBAA1B5412C761C6210F9E42
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..NY.NY.NY.G!J.LY.G![.LY.G!L.IY.NY..Y.G!\.AY.G!M.OY.G!N.OY.RichNY.................PE..L......^...........!.........J......{........................................@..........................................J...L...P............................ ..........................................@............... ............................text............................... ..`.rdata..Z...........................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.process.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):187392
      Entropy (8bit):6.436158035823645
      Encrypted:false
      SSDEEP:
      MD5:2F0F5858FF5A93868323A2809DAF7EC2
      SHA1:1BB355B45DEF3824AF338CCFFB1D81469C6D80A7
      SHA-256:7215D625144B42A92FD2CE563EA6137A2B58B73C6F534FA126477E4FBE02F730
      SHA-512:4BE670349C0E14251081A8912F5B459DC37FB147DF7CC9EF3CA91E6A4553B5649BF96AAD959653411DFCB000946A76BE861707DFEF6A293FFE4636ADFF12C301
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..PY..PY..PY..Y!*.RY..Y!;.RY..Y!,.WY..PY...Y..Y!<._Y..Y!-.QY..Y!..QY..RichPY..........PE..L......^...........!.....<...........F.......P.......................................................................t..J...,f..P................................C..................................he..@............P..P............................text...*;.......<.................. ..`.rdata..Z$...P...&...@..............@..@.data...|:.......0...f..............@....reloc...D.......F..................@..B........................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.psutil_xp.psutil._psutil_windows.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):39936
      Entropy (8bit):6.314321948614945
      Encrypted:false
      SSDEEP:
      MD5:89CA719EA548DEC02BF0B5F84C80FE8C
      SHA1:C6F2C7183BCD945ECF9F7D556729ECC0BAA6A026
      SHA-256:CF0F69AAB727CEB8D5BC6A686C203393C01D3D5BF3CDE8C20C137EB3C4C319A2
      SHA-512:8A3BC94B42DAB39F312C6A9A096431E642B5AFF12A52B9ECC2790165C7C2E3F87166DA995005D7614A0149BB5BA156EF5009082C5A20561A5317ADF6D3658178
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........cZ.[.4.[.4.[.4.Rz..^.4.Rz..Y.4.Rz..H.4.[.5...4.Rz..O.4.Rz..Z.4.Rz..Z.4.Rich[.4.........PE..L......V...........!.....`...<......Aj.......p..........................................................................Z....s..................................t....................................s..@............p...............................text...Z_.......`.................. ..`.rdata.......p.......d..............@..@.data................z..............@....reloc..r...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.tools.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):159744
      Entropy (8bit):6.460531976986463
      Encrypted:false
      SSDEEP:
      MD5:5784D12BD8AE11FAC36896A1D431A4E6
      SHA1:89AC3BB104A51435B9EA582CAC26B3A05810C020
      SHA-256:DD4ADB85575A68E373193C00A5CF17E4B17250E428CC1A1C46CCCF13FC8A68BC
      SHA-512:E95FBEBC5069F133F7663901D1A3EE3CB077B655B5BB250FDF63D5A367A4EA89C35F014426C441AB44842B0EEF8464DED8AE959DFABAF8E738DA6EC42D2E6E19
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.GNY..NY..NY..G!*.LY..G!;.LY..G!,.IY..NY...Y..G!<.AY..G!-.OY..G!..OY..RichNY..........................PE..L......^...........!................;...................................................................................F...<...P............................P...:..................................x...@...............H............................text...Z........................... ..`.rdata..6........ ..................@..@.data....8.......0..................@....reloc...;...P...<...4..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.autostarts.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):350720
      Entropy (8bit):6.4395796952023865
      Encrypted:false
      SSDEEP:
      MD5:74F89E4E81FC3FD945D5C6150DE977E8
      SHA1:BC3A46EE876FE2C93AE74D99996E3F0294E55A44
      SHA-256:5862432F7909F8BC56BBDEC87884EFD8A3E5FFD1510EC2A613AD32E363C5C08C
      SHA-512:853294067A99611254A051EE5172231C2223705E6C8CD6FB7416305CD575AD7DC894D1497282CE5B2556CD9ADC20A8BECC9AB1D98F3F450E8D3F9826FCB3C55D
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...!*..Y...!;..Y...!,..Y...Y..YY...!<..Y...!-..Y...!...Y..Rich.Y..................PE..L......^...........!.....>...&.......H.......P......................................................................P...P......P...............................<u......................................@............P..h............................text...:=.......>.................. ..`.rdata...G...P...H...B..............@..@.data....e.......X..................@....reloc..xv.......x..................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.hosts.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):26112
      Entropy (8bit):6.149938496707501
      Encrypted:false
      SSDEEP:
      MD5:4C706CC2D1077D6E782588B447BDBA93
      SHA1:2BA950E558CEA600595B877333751BE6C3789025
      SHA-256:4CC4654706CD6FD4016AF3DEB744CF26B91C86AF3B003E473E392137015A94B9
      SHA-512:4213DCDB84C6DBB32E65A0F8915E69D46068BCF1F393D8B42F4FAD95234085B44CE943EAB01488E18F4D20720F095CF213ADEF1A69DD9FCE80C334A09542E737
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<i..<i..<i..5...=i..5...>i..5...;i..<i..Pi..5...3i..5...=i..5...=i..Rich<i..........................PE..L......^...........!.....>...*.......G.......P.......................................................................^..F....S..P...................................................................8S..@............P...............................text....<.......>.................. ..`.rdata.......P.......B..............@..@.data........`.......R..............@....reloc..`............^..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.installed_softwares.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):58368
      Entropy (8bit):6.280261100917009
      Encrypted:false
      SSDEEP:
      MD5:BF05E7C91D314D5E8A05C3946C6370A0
      SHA1:5D5DEAE40045273074EDDEACA3DDA2C740118F25
      SHA-256:4E8AC14B0A838460F6750265B0FEEB25C0EE0C35163828378B34C34941120462
      SHA-512:C1608F1AAEB8BF6B52EFBD1638CA95192FB11758ED2B58B0790EE6A19B6221160C86AFA50EFCC937829076C483E687886078DE99C5ECF5E12FE85765BCFBBDFB
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<j..<j..<j..5...=j..5...>j..5...;j..<j..Dj..5...3j..5...=j..5...=j..Rich<j..........................PE..L......^...........!.........D.........................................................................................b.......P...............................l...................................8...@............................................text............................... ..`.rdata..............................@..@.data...<...........................@....reloc..0...........................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.security_products_state.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):56320
      Entropy (8bit):6.3092934476179
      Encrypted:false
      SSDEEP:
      MD5:EEE7F401842F577AC714C851E52E2EFC
      SHA1:7A860C96849FE3689ED54ECC1D203AD18D072314
      SHA-256:9222DED71F942DA658795CE2FFD2E5A64D7F5CE0FD314B3D56B4D9AA8655DEFE
      SHA-512:ED67EEE94AF1F648E3FCEB923E7288C0415BA0FD48E8C36354C82DCC4C936AC696EA8541773C2824E1BC8BFADFFA69E2CA5F16E658C836182CA3CBD4A8A04CDD
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........N..N..N..G.*.L..G.;.L..G.,.I..N..1..G.<.A..G.-.O..G...O..RichN..................PE..L......^...........!.........J.....................................................................................P...j.......P...................................................................X...@............................................text............................... ..`.rdata..............................@..@.data...\...........................@....reloc..^...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.windows_scripts.signatures.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):522240
      Entropy (8bit):6.541571332139685
      Encrypted:false
      SSDEEP:
      MD5:ADAF7DA47CDA12A940A137533E4EAA13
      SHA1:5DE8B2F38DE156D37C9BFDDA067B3A9C650529AE
      SHA-256:CFDC891B26493A7E1F0AE35B46D9779669882654A9C4369CB2D053E7F5C8D237
      SHA-512:F6C20020981FFC20328C778586377E765F560BBE2678B0F96986311D23CD893140E4537DDD394E2C913E76A745F239AAF89E47934AEC147F4D12A02BFD08C438
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X..9...9...9...AT..9...AE..9...AR..9...9..$9...AB..9...AS..9...AP..9..Rich.9..........................PE..L......^...........!......... ......c........................................0..........................................P....z..P............................P.......................................z..@............................................text...z........................... ..`.rdata..0...........................@..@.data...............................@....reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\eof.yarapy.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):119808
      Entropy (8bit):6.443168419699998
      Encrypted:false
      SSDEEP:
      MD5:1120EEFB2BEF654B292D5FF37707FD26
      SHA1:35FED24F6746A429301D4FFD1B7CA30A6A9A09B8
      SHA-256:DC6CE5ADEAA24EAE137ACD545BEF738EC217E27B91F53AAE6D6667189AF865E6
      SHA-512:E9FE933703AD192DB81263FB22A6013AF74D39EC73182FA13DF26C6CB3456DF2FACA519B5A54D072C6A859FAA0913AC468A9922DF8DEAC17546AD11761A6E5B0
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8..RY..RY..RY..[!*.PY..[!;.PY..[!,.UY..RY...Y..[!<.]Y..[!-.SY..[!..SY..RichRY..........PE..L......^...........!.....h...p.......r..................................................................................H......P...............................x)......................................@...............T............................text....g.......h.................. ..`.rdata...............l..............@..@.data...,(......."..................@....reloc..v*.......,..................@..B........................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):3757568
      Entropy (8bit):7.012770356754067
      Encrypted:false
      SSDEEP:
      MD5:954DB384F5C431F984DA190B7821B9A8
      SHA1:15EBD3A4136EC58004983BDAA9B964A08D32DE25
      SHA-256:CCF2DD7BC8B7F8A3587F132D1E9CD789560F628F3715F06EE0A888150BE9E90D
      SHA-512:D5BB04B28E7B6C2E2CA018831129C6F37D35AEA2CFCB97A52D318DF73582C1A7C30064B4D9E3A617660C3009462B388040ECDFAE363284D3CC6A0A83ECD44758
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y.......y.!.Z...y.......y.....y.....y.....y.......y.......y.......y...x.c.y....0.y.....y.....y.....y.Rich..y.................PE..L...`CzK...........!......%...........!.......%...^x..........................9.......:...@...........................$.....D.$......`&..g...........\9.H.....6.d.... ..................................@...................4q$......................text.....%.......%................. ..`.data.........%.......%.............@....rsrc....g...`&..h....&.............@..@.reloc..H.....6......l6.............@..B........................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\mfc90u.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):3772928
      Entropy (8bit):7.009508208409266
      Encrypted:false
      SSDEEP:
      MD5:15B0F8026C62D4110A9EBB414891056F
      SHA1:1A9313215F58A46B7043D5293C51F74A9311DE4E
      SHA-256:20919D879B95F316EFD561BB515DF10B8A545296ACBBA4186195C1724CAA5364
      SHA-512:4AA10445EF6B8F7BC4FAD2751B956A7E44861412FB5AF6725646160BC64A14EA1A13D19B8865C99809F6B3F383C27A5ADE3A1A46D2F6ED391C85CAE0D0C5C6C6
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P..w...w...w..\....w...T...w..\....w.......w.!.....w.......w.......w.......w..\....w...v.A.w.......w.......w.......w.......w.Rich..w.................PE..L...bCzK...........!......%..........K!.......%....x..........................:......3:...@...........................$.......$.......&..g............9.H.... 7...... ..............................H...@.....................$......................text....%.......%................. ..`.data.........%.......%.............@....rsrc....g....&..h...@&.............@..@.reloc....... 7.......6.............@..B........................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):59904
      Entropy (8bit):6.0508544123612555
      Encrypted:false
      SSDEEP:
      MD5:AF7478D42B7DC917A2BE9DD02F711887
      SHA1:3574F79669C09983CE2E405FD759A140995EBAA7
      SHA-256:FE088EBCD88CD5731BB71B2E46B2FE37F753E7F9D0508B3109B14512C1819640
      SHA-512:A3C1850E8FFA42E251D6F6812CAC9EB8559E4355F755546E95CF2AD33C2046B82CEFD73F3339607FA9DC335AD35FF296DF1F2F42523E4DF57B812A9E7EFCE682
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*l..n..An..An..AI.Al..A..Al..AguZAi..A.B_Ao..Agu\Ao..AguJA`..AI.Aj..An..A...AguMAz..Agu[Ao..Agu]Ao..AguXAo..ARichn..A........PE..L...rCzK...........!.....:..........rG.......P.....x.........................0......-.....@.................................L................................ .......R...............................S..@............P..,............R..H............text....8.......:.................. ..`.rdata..^....P.......>..............@..@.data...............................@....rsrc...............................@..@.reloc..n.... ......................@..B........................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\mfcm90u.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):59904
      Entropy (8bit):6.048344728135143
      Encrypted:false
      SSDEEP:
      MD5:5E99287E299A3F00845A28909724FB8D
      SHA1:8D248EF5F4844299C6EC712FCB8BBB93225CD280
      SHA-256:C744A98DDFE4C11DD253D683E8640AE6EB0437D72326737556A9ADC10E444CC1
      SHA-512:64EE3FCF0D746CA2EF38F9BCC786D907524DD7B59F8DB14FDDF1DF9E5E543AD1E57A283DED57C34468C241A32C41A8704423AC7564B51C12CD1E6A9CE7D58C13
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*l..n..An..An..AI.Al..A..Al..AguZAi..A.B_Ao..Agu\Ao..AguJA`..AI.Aj..An..A...AguMAz..Agu[Ao..Agu]Ao..AguXAo..ARichn..A........PE..L...rCzK...........!.....:..........rG.......P.....x.........................0......u.....@.................................|................................ .......R...............................T..@............P..,............R..H............text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...h...........................@....rsrc...............................@..@.reloc..n.... ......................@..B........................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\msvcm90.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Category:dropped
      Size (bytes):225280
      Entropy (8bit):6.034678554881571
      Encrypted:false
      SSDEEP:
      MD5:8C026E70C6E4A6C6C4D1910A9EC3B7DB
      SHA1:6163333D42EA0416E8D8C83742AA4D436CC98BCE
      SHA-256:BF3C5E236E0A04D24DE80B8A79280D37A62BAFC4AFE7E3C69ED378A3E3EADF7E
      SHA-512:34F58546BCC75078B46C47D25DC077FAE59F1DC6101A1498DDD77431C72C15CC56F313FBA082D65F60BD12EB7E3B5A3550FF6A48D2125B5E9536F47FEEACF6C7
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...h...h...h..ah...h1.dh...h..gh...h...h...h.-.h...h...h...h..qh...h..vh...h..`h...h..fh...h..ch...hRich...h........................PE..L...y"zK...........!.....:..........Z........P....?x.........................0.......}....@......................... 3..4....&..d...............................d...P...............................H...@...............(...........p...H............text...T9.......:.................. ..`.data........P.......>..............@....rsrc................H..............@..@.reloc...#.......$...L..............@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\msvcp90.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):569680
      Entropy (8bit):6.521606850426073
      Encrypted:false
      SSDEEP:
      MD5:87AF258581A96331E14B11280721516F
      SHA1:BA6720EB1EB8C69400F18FF1C4A86B72691F3C64
      SHA-256:DDA75FB28C09C353D0A2EF82908D34F5EE9B26EA0AC58B97FB2201FCED6EF819
      SHA-512:AB6A1F32196A3F345B6061AEF78E8FA7F99CBBD6910F3BE6672749BD445EAA838E7D41ECB7804D5D15511B9E5344F7C9A14BE21B6E91CA1602992E949E40825F
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...t"zK...........!.....4...p...............P....Hx......................................@.........................pP..,....E..<.......................P.......H3...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\msvcr90.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):653136
      Entropy (8bit):6.883619619946885
      Encrypted:false
      SSDEEP:
      MD5:EBE9F2ED58018DD0FC2A7C0D5F4DEBE0
      SHA1:64EB5818BBDC743C97056919440894EB8A311A16
      SHA-256:3DFF1BE93ACD9AF886DAC6E93E29F4027698DE4AB5341BFCF9B1B36FC9302B3E
      SHA-512:D4A2AEA629524C8CD1112EA3451E7F82FE60029192833957E7B2895AAD47542AF867B7CE7B761E611B99786236144D9116E632303C0694001E14EF12B21C1D5F
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...o"zK...........!.....\..........@-.......p....Rx.........................0............@..............................|..0...(.......................P........3......................................@............................................text...T[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\psutil._psutil_windows.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):47616
      Entropy (8bit):6.356637922773023
      Encrypted:false
      SSDEEP:
      MD5:EDE5FFAF4A0561C0673D335D70157004
      SHA1:9641FC493DA4995447E725BA908276EF76D7322F
      SHA-256:E7779F48E259157823CBEA1D32BD700E210B0DECB43F682624C50A075EE24F93
      SHA-512:995E88C24A52FE322E0B0C45E72A913949D21DA6E80B4DBC46DC6CD77A9BB0AFF63D2F23369EF3316321A4603C335E1FB59D527D5BD894418058AE730A19FCDD
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t.....u..}...r..}...v..}...a..t.....}...b..}...u..}...u..Richt..................PE..L....2.X...........!.....t...D......A}.................................................................................Z...L...................................d...................................`...@............................................text....s.......t.................. ..`.rdata..*............x..............@..@.data...............................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\pyexpat.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):138240
      Entropy (8bit):6.612873761652003
      Encrypted:false
      SSDEEP:
      MD5:0F67334823B30BF1413C6B9F95023F5B
      SHA1:9505310605E5837F6B7738480C7AABD97A7A8ADB
      SHA-256:70ABFE3E4EA9C14D12147B3502613CCC25D3E8D9404475F91F5595F0F85F5A04
      SHA-512:F65CC365D0DDAFFA83E8A4C3A9D6AFBDE15A98AA12B1DCB2A7D63B1D0F7588A8794DA0D31FBA0A82B759AAA5BFDC7E275A94C3C34B814C8E4E205AFDC4DE8D91
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2.\...\...\......\......\......\......\...]..\......\......\......\.Rich..\.................PE..L...+DqW...........!.........p..............................................P............@.............................J.......P.... .......................0..`.......................................@............................................text...2........................... ..`.rdata..Z?.......@..................@..@.data...t...........................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\python27.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):2631680
      Entropy (8bit):6.7224146477246824
      Encrypted:false
      SSDEEP:
      MD5:995E4251389AB3C26E2301C5E6B6D437
      SHA1:8DEEE48FD8707E560A9856F162C2922C0AC615F0
      SHA-256:26ED8AB8B2064E1C6894B2C75790E135D9927B54E6353C18B242AB578321FBDB
      SHA-512:82A1CA9645C980125FB7D10C26155800263CD8B4F6DCF5FC2FEE6016128B8D3F90DA6B054A65D1300EC37AEED21F05CF394D205EF2E4C5ABD9963FBE936D5033
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..^g.y.g.y.g.y....~.y.n...l.y.n...i.y.n...e.y.n...l.y.g.x.[.y.n.....y.n...f.y.n...f.y.n...f.y.Richg.y.................PE..L....DqW...........!.....X...........[.......p................................)......G(...@.........................0)!.t|..L.!.x.....(.D.....................(..Z.. u................................!.@............p...............................text...JV.......X.................. ..`.rdata...5...p...6...\..............@..@.data....B....!..(....!.............@....rsrc...D.....(.......&.............@..@.reloc...c....(..d....&.............@..B................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\pythoncom27.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):395776
      Entropy (8bit):6.645630182293659
      Encrypted:false
      SSDEEP:
      MD5:58D993A0F34610852A6964966E3B7946
      SHA1:851659337570DFEADAC599720B6902415D6D3190
      SHA-256:E38AADC9DDF5737EB261B9390D5E2E4C3817C16EEADD6959BFAB3F4EDD629BEC
      SHA-512:EBF0DFD1A8BCCBC3C6D0BB3F4BF82E45CA7C70CCE2D3AA278B6084449889D64F1BBB8AE19A0D375BC3A64FC0D02270CEF0F2FF96282AE79A347F2A92579319EB
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..^"o.."o.."o... ..#o..<=..&o..<=...o..<=..&o....../o..+... o......+o.."o..sn..<=..to..<=..#o..<=..#o..Rich"o..........................PE..L......T...........!.....~...........e............ .....................................................................>^................................... ..Tq.....................................@...............`............................text....|.......~.................. ..`.rdata..............................@..@.data........p...:...\..............@....reloc..zr... ...t..................@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\pywintypes27.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):109056
      Entropy (8bit):6.581545891211645
      Encrypted:false
      SSDEEP:
      MD5:FBEDCACE76621787F22E14875F1BBB27
      SHA1:5E463ABE5821876B00125BBBE1D5852371CE918F
      SHA-256:ED50A725CEC9C4AC26E90DF2BB7A68B48AB17D5AF2B3EBAAD2E9D392D9B4E1C1
      SHA-512:DFEF22892920CDF925087BEF3F5D10CFB5FAC9D423FA9C35FE1C0F8301115F321C7C54359F96B4553DA5B91608685EF82095C8636D5F38C641BC373A26656F83
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................R.....?.W.......T.......B......8........R......8..........X.....E.......S.......P.....Rich............................PE..L......T...........!.............................z..................................................................C...J...........................................................................)..@............................................text.............................. ..`.rdata.............................@..@.data................|..............@....reloc..\...........................@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\select.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):11776
      Entropy (8bit):5.995803092493926
      Encrypted:false
      SSDEEP:
      MD5:1CF45085644B156A8074DD5324B2E209
      SHA1:17222C176F703F71D1CBD958A9FC8F5CE41B527D
      SHA-256:245ED67158BE55ABB24496A8E4BF3760689649884F6A88EBC9A52364F08BD66E
      SHA-512:B29BCA107BEB4EB65F154376C44D5415DA8731840CFDBF2282A3350DACBE5D05E312AB44274B4959BAA048E1CF7491A564FF5432416A23078CBD92BC33A1B8B9
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...zRich...z........PE..L...,DqW...........!.........................0...............................p............@..........................8..H....3..d....P.......................`.......1...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@....... ..............@....rsrc........P.......&..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\sqlite3.dll

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):552960
      Entropy (8bit):6.7716707465479296
      Encrypted:false
      SSDEEP:
      MD5:BD94AFADAE67CD6D6FE35953CC35EAEE
      SHA1:76FFEC920D37E0DBEF6830CB27FC41DC76913D8D
      SHA-256:A5E836738F666D57092586EBCA1403048F082A2495C623219C4F9E2AD717C639
      SHA-512:C402D7A940E03656A8735F6C98F2CBAFFC1940D65D874D0A09873B8C53774E82C11308CCEEE5E9131148FE6D40BC04CE80451C7E26E5C153AB96EBA956BE0B45
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^^.0..0..0......0......0......0......0..1...0......0......0......0.Rich.0.........................PE..L...CDqW...........!.....p...........r..............................................dc....@.........................@...d.......<....`.......................p..\0.....................................@............................................text....n.......p.................. ..`.rdata...............t..............@..@.data...T....@.......&..............@....rsrc........`.......8..............@..@.reloc..,1...p...2...>..............@..B........................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\tehtris_offline_forensic.exe.manifest

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1603
      Entropy (8bit):5.2677010672417275
      Encrypted:false
      SSDEEP:
      MD5:837034B54C2E32C109FC6A4C42652122
      SHA1:57C98645FA0252431F857FC524B1B39C71C1C195
      SHA-256:616739383A436F98423953FA9236D0BCE0E5E2D62ADAEC3877E243FE43B986D5
      SHA-512:1689CA86FB22C1A86A075A9F4054C0F754BA0240CE2EFA6E3E0798B955739A50734492469576E27D18B3B1FBE1F7492985F4F25AE3C653ACFED9EC112819ABC3
      Malicious:false
      Reputation:unknown
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <assemblyIdentity name="tehtris_offline_forensic" processorArchitecture="x86" type="win32" version="1.0.0.0"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="highestAvailable" uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.30729.4974"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity language="*" name="Microsoft.Windows.Common-Controls" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" type="win32" versio

      C:\Users\user\AppData\Local\Temp\_MEI70442\unicodedata.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):688640
      Entropy (8bit):5.43571815419785
      Encrypted:false
      SSDEEP:
      MD5:4C361EA592B2D286E904CB8068F81146
      SHA1:A7BC7D0B9783CDC1CF9C56B1B43B6B48E79D487F
      SHA-256:DF8172D471467BB878B727A780812DBA03053317680975B0C7C7D22AA22159C3
      SHA-512:197BFC70430BD498B0BE8D89CFF0A23477B2178512D5D8394007847312B28D9EE652255253DE7D1E1567B9F6B88605FC2B2BD0E1D691B16D107CB878CB44591A
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{H..?).?).?).6QE.=).6QS.1).6QT.=).6QC.8).?)..).6QY.>).6QB.>).6QA.>).Rich?).................PE..L...-DqW...........!.....(...V.......0.......@............................................@.........................pX..R...LR..P................................... A..............................@Q..@............@...............................text... &.......(.................. ..`.rdata.......@.......,..............@..@.data....+...`...*...F..............@....rsrc................p..............@..@.reloc..,............v..............@..B................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32api.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):99328
      Entropy (8bit):6.5766707412687975
      Encrypted:false
      SSDEEP:
      MD5:4808FC8E377C68AFC58E512EAEB92984
      SHA1:5D30FB56ABD2A4E66108A8E8CD21450A7E29DCC4
      SHA-256:63112ADEBC44D8183FAA148E53CC48DDDA0A9FB11C7D15A1EF5C8B36023F1205
      SHA-512:7C8994A78022499561D69893C67C4F16DCC826BA42BED01BB079324C980946A50463737E7F96F13915AA0A2728FF4555D61C33D7C7375DE69E0D71F9347F66F4
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.z..b)..b)..b).D.)..b).D.)..b).D.)..b).n.)..b)...)..b)..c)..b).D.)..b).D.)..b).D.)..b)Rich..b)........PE..L......T...........!................<................................................................................g..~....B......................................`................................@..@...............D....B..@....................text............................... ..`.rdata..Nx.......z..................@..@.data........p.......T..............@....reloc..p........ ...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32com.shell.shell.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):360448
      Entropy (8bit):6.5675400080246416
      Encrypted:false
      SSDEEP:
      MD5:9FB774F33706129FFE2A90B04F84D5E5
      SHA1:83E681E2EEAA3E20906239876A704A57A37C9622
      SHA-256:768DCD6EE1976E560F2715815AC4EF29F3FD20613ED0F24F8B979F734C25586A
      SHA-512:C01F972145ED4DA26AC1433FA0FD5FC5A9F8D585C910A1258904AAF7991D41BF8B8C8A0E8CDC38B8B6FA5EBD686B27A371F1CDE64FE7D9390538D49A32F52507
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........PA...A...A.....y.@..._.z.C..._.l.L...H.|.C..._.|.G...A.......ff..H...ff..H..._.k....._.}.@..._.~.@...RichA...........................PE..L...^..T...........!.....*...................@..........................................................................F....................................P......D..............................xL..@............@...............................text...K(.......*.................. ..`.rdata..V....@......................@..@.data....d.......4..................@....reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32console.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):44544
      Entropy (8bit):6.318278473401064
      Encrypted:false
      SSDEEP:
      MD5:F6EFBB1763A339DC6DE93EE8D67494AA
      SHA1:FEAD47734A85550BDDE00A8AC9FCFC1FB42E38FE
      SHA-256:14DCEC3E89D5405AE7C189B149E3D7B86C951CB422AB5DB055BA3250F4D60CC7
      SHA-512:AC3F04FC5BDB86FB62BDFFD4C2078DC34C703EF474C5A7A1C2BFF5C3E41F7FB09E4D131B03B929C7BFF85704B9C82E90AA846BC7452ABA8AC59334C3EBB80DA5
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........ND[. .[. .[. ...Z. .E...Z. .E...V. .E..._. .R...Y. .|1[.X. .[.!... .E...^. .E...Z. .E...Z. .Rich[. .........PE..L......T...........!.....H...d......:N.......`...................................................................... ...T.......d...............................|...@b.................................@............`...............................text....F.......H.................. ..`.rdata..tF...`...H...L..............@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32evtlog.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):48640
      Entropy (8bit):6.45651820282447
      Encrypted:false
      SSDEEP:
      MD5:5019905E00D01416E62B5FE8721E7769
      SHA1:9A13BC27E2A15C9FF499C118C80101E75FC0191E
      SHA-256:72DC88BE876854DF9DBDE6865590C6BD3AF212022BB62A0AC764D3633A1B7953
      SHA-512:06FD943CAD80818EDDC67DBA861F8A13A6F3B10AA1286E2C5F44980BBC9CE6DB20EEDF2CECB8ACB328433706AF01A18CEE522D62DC4E6D0C1AF5E56E27ED13ED
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................D......G......Q......A......A.....k........,....V......@......F......C....Rich...................PE..L......T...........!.....d...Z.......f..............................................................................P...R.......x.......................................................................@.......................@....................text...8c.......d.................. ..`.rdata...;.......<...h..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32file.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):118784
      Entropy (8bit):6.623329768965339
      Encrypted:false
      SSDEEP:
      MD5:ACF918AF2EE731A87FD04CC92D4238F3
      SHA1:D64661A62C312CEC69FFF833FEDEBA153BDE9A6D
      SHA-256:9E6D114307D7A54B9EC65F068F488C98AF32C5ED9FA4D36E56078569EDD2F02A
      SHA-512:4EC2AFCF180041DF0C11C1C41676460021C4E4D091FDE08173AF06BFF2294AEF7411A422ED02B0F1E701333441881FD41656E06E4E96F1B0CFF2903574ED7BB4
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b|.n./.n./.n./.<./.n./.<./.n./..w/.n./.<./.n./.../.n./.n./.o./.<./.n./.<./.n./.<./.n./Rich.n./................PE..L......T...........!................^........0..........................................................................N........................................#..p4..................................@............0..@............................text............................... ..`.rdata..N....0......................@..@.data...............................@....reloc..N$.......&..................@..B................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32gui.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):166912
      Entropy (8bit):6.58733338676621
      Encrypted:false
      SSDEEP:
      MD5:BB299098EE258491544ACE4F61620F74
      SHA1:4A99076D5435172EA72DB4188D6BEB1AE5098E92
      SHA-256:73C4571D5E9C538171FD8E86645B4593636F0AD97CF167440403E66A691B3178
      SHA-512:931BBA147902CD836FA22292F18CEBCE55657553B0E5BAD16B9BD3106F0C22BC1654212AC7DEC6C21278A864690AC8140D36E8F76D84CBF4927A87F7863F21FB
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9...j...j...j#.{j...j..xj...j..nj...j..~j...j..~j...j.0.j...j...j_..j..ij...j...j...j..|j...jRich...j........PE..L......T...........!.................p..............................................................................pO..b....$...............................p..$9..P................................ ..@...............(............................text............................... ..`.rdata.............................@..@.data...d....P.......6..............@....reloc...9...p...:...R..............@..B................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32pipe.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):23040
      Entropy (8bit):6.187314720225589
      Encrypted:false
      SSDEEP:
      MD5:0D4A1785AA8F949CFA2A19278CBE3C81
      SHA1:6E2AFE14BC7D882DA9BF02F9BEA3FA04641626B8
      SHA-256:2EFC1764B23E02B2E91016EA331E68207CB5C2579166CA305A196FE343719D4D
      SHA-512:F358BDACCB3C947AAEBC1F5479DCFD526D8C6D8742369E0EF6CF7EFC4060810469A25109CADE45CD93364B24CF0000A725DEB0AA45F603A210349EE8EE796FCA
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z..B>..>..>...,..<.. ...=.. ...3.. ...:..7...=..>..N.. ...:.. ...?.. ...?..Rich>..........PE..L......T...........!.....0...*......F8.......@.......................................................................Y..N....M..d............................p.......A..............................HL..@............@...............................text............0.................. ..`.rdata.......@.......4..............@..@.data........`.......P..............@....reloc.......p.......R..............@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32process.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):35840
      Entropy (8bit):6.382798861959788
      Encrypted:false
      SSDEEP:
      MD5:6B7ABDCAE8C87D280FABB5AD4A872988
      SHA1:37C9AFEBC1B0321E9EFFB08258970A51B5923BA3
      SHA-256:C4A166728C426AAE266C580BB7C6C41BBD825A090952DB818584341C0D047A68
      SHA-512:8F9B5357C5F6A1397ED1F21CB70DA1CE664FBA9BBAC4A790CECEA7F6562104452B5DC6241D9B8A96BB9720FA85074EAB268080F13D100516386A375F9D251E56
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Y..CY..CY..CG..CX..CG..CT..CG..C]..CP..C[..C~N.C^..CY..C!..CG..CZ..CG..CX..CG..CX..CRichY..C........PE..L......T...........!.....F...F......jO.......`..........................................................................T............................................b..................................@............`...............................text....E.......F.................. ..`.rdata..D0...`...2...J..............@..@.data...L............|..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32security.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):107520
      Entropy (8bit):6.535853767796153
      Encrypted:false
      SSDEEP:
      MD5:57E6E421969087038100DA2047AA551C
      SHA1:276ABF9FA4B22939170B64A9C718249BB49B3977
      SHA-256:2370403FEC2CE36EAF46CB446092EC63C565C21740121109CC620944B1D55FF6
      SHA-512:69A71D717FD6182A39992C03E140BC4CA3A4D584C4F84B4D079C4AAA2816015315E7D08FC0E636751914790B3FF249F0A474B052B31E0BE41D6AD9CFB7734FCA
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..oe.i<e.i<e.i<..<d.i<{..<d.i<{..<h.i<{..<a.i<l..<g.i<B..<l.i<e.h<..i<{..<b.i<{..<d.i<{..<d.i<Riche.i<........................PE..L......T...........!.........................................................................................................x.......................................................................r..@............................................text............................... ..`.rdata..............................@..@.data...,............x..............@....reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32trace.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):14848
      Entropy (8bit):5.772736762466878
      Encrypted:false
      SSDEEP:
      MD5:BCF11BD2A58F0D449D81392A46A7EBFC
      SHA1:CB09F876B7BD2B52DAFE6D1A5B09AA0FFE1333F8
      SHA-256:E3A887D0F189E00CD049F0F388270991A0E2E0CFD1E35A6E246BC2F77FFC1412
      SHA-512:5141540569A56D51BF6744A2B15A5DA1FB6468245C36C7B17BC27599DE119202547D4696D33A4FCA391F7230F7AAFDACF01B0F21462829BD608DDD33DD071471
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........YMN.8#..8#..8#..j...8#..j...8#..j...8#..@...8#...X..8#..8"..8#..j...8#..j...8#..j...8#.Rich.8#.........................PE..L......T...........!................P$.......0...............................`.......................................?..P...L7..x............................P......`1.............................. 6..@............0..@............................text...H........................... ..`.rdata..P....0....... ..............@..@.data........@.......0..............@....reloc.. ....P.......4..............@..B........................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\_MEI70442\win32ui.pyd

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):778240
      Entropy (8bit):6.3748021173150855
      Encrypted:false
      SSDEEP:
      MD5:D1C611B3DAD626ABAA78A580760FEB0B
      SHA1:32782642B36490237F1459F4B30A0F823237E59F
      SHA-256:A3AA561B758D9BBE21710E2A2C0389425FEEA1A101958B0A2AC26E96BFBF1823
      SHA-512:11974ACDB14B656FBE6089EC8F8CB757768FCDC5CF3B6DCB495B87F27641EC9EC84F04B7187E36589C03E74F35AC381D35DE2BAFBD757CEFE3598A924C1DF403
      Malicious:false
      Reputation:unknown
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................j....&........................0.......................Rich............PE..L......T...........!.....H...................`....(..........................P.......P...............................<..!M..4........0..D....................P..x....w..................................@............`...............................text....G.......H.................. ..`.rdata...)...`...*...L..............@..@.data...........^...v..............@....rsrc...D....0......................@..@.reloc..f....P......................@..B................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\__init__.py

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):176
      Entropy (8bit):4.713840781302666
      Encrypted:false
      SSDEEP:
      MD5:8C7CA775CF482C6027B4A2D3DB0F6A31
      SHA1:E3596A87DD6E81BA7CF43B0E8E80DA5BC823EA1A
      SHA-256:52C72CF96B12AE74D84F6C049775DA045FAE47C007DC834CA4DAC607B6F518EA
      SHA-512:19C7D229723249885B125121B3CC86E8C571360C1FB7F2AF92B251E6354A297B4C2B9A28E708F2394CA58C35B20987F8B65D9BD6543370F063BBD59DB4A186AC
      Malicious:false
      Reputation:unknown
      Preview:# Generated file - this directory may be deleted to reset the COM cache.....import win32com..if __path__[:-1] != win32com.__gen_path__: __path__.append(win32com.__gen_path__)..

      C:\Users\user\AppData\Local\Temp\tmpo8tal6\gen_py\dicts.dat

      Download File
      Process:C:\Users\user\Desktop\tehtris_offline_forensic_2.6.0.0.exe
      File Type:ASCII text
      Category:dropped
      Size (bytes):10
      Entropy (8bit):2.721928094887362
      Encrypted:false
      SSDEEP:
      MD5:F51138FD324F1012A838130C2EDF5704
      SHA1:2B871CBE2D95BDDD3870C6911766CB95270CE18E
      SHA-256:F81481C4DDD1561601C612B644B63B6220C0664934FBE46155487A1786EDE987
      SHA-512:59AAC7B50254147C76111C686CAA434FB0CF0538DC928125E7DE827902C682396D86E5ED3546A8F3E070A674BA398F483AA06C92C5DE66665B3A45B4F3FC5FB3
      Malicious:false
      Reputation:unknown
      Preview:I1..(dp1..

      Static File Info

      General

      File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
      Entropy (8bit):7.998291471388156
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • VXD Driver (31/22) 0.00%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:tehtris_offline_forensic_2.6.0.0.exe
      File size:15'502'144 bytes
      MD5:b24e639470b5cc0a46baa9fec06504af
      SHA1:9eed36e3dc36693372baeef8538d3024e75b8d79
      SHA256:1448e64b1323ae0ee97bcd7d712f8cb3a501c7fa06fb486f15da3601f1fa0a09
      SHA512:a64578152ecdaf9039ca99253e7108cb4fa7c12173467185dcddd5dc1053d7d75d26a476202a9c1e4fd655c90fd9e88861db3cfa2b1952039936615b29e20e71
      SSDEEP:393216:nRNR3iYOSiUq075W+4nHOdvQRjlTKKvYqFHj7ybKxg:nrdDObodvQRjhLYQPyGxg
      TLSH:C4F633C1D9263557E0FA697474FAE06CAB74BE1BB74D8E546B8CBC4631BAB32053C108
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................./...............................@..................................o........ ............................

      File Icon

      Icon Hash:449633717133964d

      Static PE Info

      General

      Entrypoint:0x401500
      Entrypoint Section:.text
      Digitally signed:true
      Imagebase:0x400000
      Subsystem:windows cui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
      DLL Characteristics:
      Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
      TLS Callbacks:0x409b40, 0x409af0
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:4e3e7ce958acceeb80e70eeb7d75870e

      Authenticode Signature

      Signature Valid:true
      Signature Issuer:CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
      Signature Validation Error:The operation completed successfully
      Error Number:0
      Not Before, Not After
      • 24/05/2018 02:00:00 29/04/2021 14:00:00
      Subject Chain
      • CN=TEHTRI-Security, O=TEHTRI-Security, L=PARIS, C=FR, SERIALNUMBER=521 474 445 00017, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=FR
      Version:3
      Thumbprint MD5:68AB01C5A7DD8D27F7B27BD99CBCF928
      Thumbprint SHA-1:7F0F48F2E1C2F6FE8EAAA34A74912538C12F0230
      Thumbprint SHA-256:8E322B71935AB0060FA658B6BEE55AE9164CE6CFA084D1DC2FFD7CA4854014E3
      Serial:0665328A22F9ACA9002C179C18013237

      Entrypoint Preview

      Instruction
      sub esp, 0Ch
      mov dword ptr [0041D598h], 00000000h
      call 00007FA02960B7C3h
      add esp, 0Ch
      jmp 00007FA029602F8Bh
      nop
      nop
      nop
      nop
      nop
      nop
      push ebp
      mov ebp, esp
      sub esp, 18h
      mov eax, dword ptr [0040B030h]
      test eax, eax
      je 00007FA02960335Eh
      mov dword ptr [esp], 0040C000h
      call dword ptr [0041E248h]
      sub esp, 04h
      test eax, eax
      mov edx, 00000000h
      je 00007FA029603338h
      mov dword ptr [esp+04h], 0040C00Eh
      mov dword ptr [esp], eax
      call dword ptr [0041E24Ch]
      sub esp, 08h
      mov edx, eax
      test edx, edx
      je 00007FA02960332Bh
      mov dword ptr [esp], 0040B030h
      call edx
      mov dword ptr [esp], 00401580h
      call 00007FA02960B68Eh
      leave
      ret
      lea esi, dword ptr [esi+00000000h]
      push ebp
      mov ebp, esp
      pop ebp
      ret
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      nop
      push ebx
      sub esp, 18h
      mov eax, dword ptr [0041E2C0h]
      mov ebx, dword ptr [esp+20h]
      mov eax, dword ptr [eax]
      mov dword ptr [esp+04h], eax
      mov eax, dword ptr [0041E2ACh]
      mov eax, dword ptr [eax]
      mov dword ptr [esp], eax
      call 00007FA029607093h
      mov dword ptr [esp+20h], ebx
      mov dword ptr [esp+24h], eax
      add esp, 18h
      pop ebx
      jmp 00007FA029604562h
      nop
      nop
      nop
      nop

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1e0000xbdc.idata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000xf1d4.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0xec4d980x3da8
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x200040x18.tls
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x1e2140x1c4.idata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x9ca40x9e003b08f27e662ea5b8b275fcceb3cb1d5dFalse0.523017207278481data6.10883565459153IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0xb0000x340x200b14de7668341501705224003fff0effbFalse0.09375data0.5844872522908916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rdata0xc0000x4f080x5000b2745ae7b9f401f2707f3295671445e2False0.598388671875data7.001070768837529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
      .bss0x110000xc6080x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0x1e0000xbdc0xc00ed3bf2b5d855e49595c481453ac3a243False0.4114583333333333data5.162175151313857IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .CRT0x1f0000x340x2009c7ff38071b82872ebefd029cc93a8eeFalse0.072265625Matlab v4 mat-file (little endian) \240\231@, numeric, rows 4198704, columns 00.2711142780062829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .tls0x200000x200x2008879cda41c83e55045e7c097b64d3643False0.0546875data0.1755262916558982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x210000xf1d40xf200f174b96bfb3179cb689f50323bffee40False0.788723527892562data7.30929649276186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

      Resources

      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_ICON0x212800xb18Device independent bitmap graphic, 32 x 56 x 24, image size 00.4725352112676056
      RT_ICON0x21d980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.7287906137184116
      RT_ICON0x226400x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.7471098265895953
      RT_ICON0x22ba80x909bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9971636186822983
      RT_ICON0x2bc440x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.38309128630705397
      RT_ICON0x2e1ec0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4826454033771107
      RT_ICON0x2f2940x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.699468085106383
      RT_GROUP_ICON0x2f6fc0x14data1.1
      RT_GROUP_ICON0x2f7100x68data0.7019230769230769
      RT_VERSION0x2f7780x3a4data0.4238197424892704
      RT_MANIFEST0x2fb1c0x6b5ASCII text, with CRLF line terminatorsEnglishUnited States0.3541059988351776

      Imports

      DLLImport
      KERNEL32.dllCreateProcessW, DeleteCriticalSection, EnterCriticalSection, ExpandEnvironmentStringsW, FormatMessageA, GetCommandLineW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetProcAddress, GetShortPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, GetTempPathW, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, SetDllDirectoryW, SetEnvironmentVariableW, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
      msvcrt.dll__argc, __dllonexit, __lconv_init, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _findclose, _fileno, _fmode, _fullpath, _get_osfhandle, _getpid, _initterm, _iob, _lock, _onexit, _setmode, _stat, _strdup, _unlock, _vsnprintf, _vsnwprintf, _wcmdln, _wfindfirst, _wfindnext, _wfopen, _wmkdir, _wremove, _wrmdir, _wstat, _wtempnam, abort, calloc, clearerr, exit, fclose, feof, ferror, fflush, fprintf, fread, free, fseek, ftell, fwrite, getenv, malloc, mbstowcs, memcpy, setbuf, setlocale, signal, sprintf, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strtok, vfprintf, wcscat, wcscmp, wcscpy, wcslen
      WS2_32.dllntohl

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States