Edit tour

Windows Analysis Report
Sp#U251c#U0434ti.exe

Overview

General Information

Sample name:	Sp#U251c#U0434ti.exe renamed because original name is a hash value
Original sample name:	Spti.exe
Analysis ID:	1428521
MD5:	0ceaf63f222faad3bfa66b0bcbddca69
SHA1:	d9eb66edd0a0657be291ef9c52390a6f5a12ddf5
SHA256:	dbdf5ccea961db26a656fca73bcac131fe7a28fde408e4892a669c941c1376bf
Tags:	exe
Infos:

Detection

DanaBot

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected DanaBot stealer dll

Contains functionality to infect the boot sector

Found pyInstaller with non standard icon

Hides threads from debuggers

Uses the Telegram API (likely for C&C communication)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Sp#U251c#U0434ti.exe (PID: 984 cmdline: "C:\Users\user\Desktop\Sp#U251c#U0434ti.exe" MD5: 0CEAF63F222FAAD3BFA66B0BCBDDCA69)

Sp#U251c#U0434ti.exe (PID: 5504 cmdline: "C:\Users\user\Desktop\Sp#U251c#U0434ti.exe" MD5: 0CEAF63F222FAAD3BFA66B0BCBDDCA69)

cmd.exe (PID: 4616 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1976 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1720 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DanaBot	Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.	SCULLY SPIDER	https://asec.ahnlab.com/en/30445/ https://asert.arbornetworks.com/danabots-travels-a-global-perspective/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.lexfo.fr/danabot-malware.html https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000003.2408604626.000001BBBEB51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DanaBot_stealer_dll_1	Yara detected DanaBot stealer dll	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Sp#U251c#U0434ti.exe

Virustotal: Detection: 7%

Perma Link

Yara detected DanaBot stealer dll

Source: Yara match

File source: 00000002.00000003.2408604626.000001BBBEB51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A380F0 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,clock,clock,clock,clock,CryptReleaseContext,

2_2_70A380F0

Source: Sp#U251c#U0434ti.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060720861.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4055131294.00007FF8A7D1C000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb## source: Sp#U251c#U0434ti.exe, 00000002.00000002.4058618897.00007FF8B0559000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: ucrtbase.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062436600.00007FF8B80D1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063905239.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4058618897.00007FF8B0559000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: .pdbrcO` source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057075647.00007FF8A8AA6000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063350800.00007FF8B8CB5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060720861.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056646945.00007FF8A8510000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: ~/.pdbrc source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063101715.00007FF8B8AF5000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: placed in the .pdbrc file): source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF201000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pdb.Pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060299096.00007FF8B6048000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: -c are executed after commands from .pdbrc files. source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF1BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062019830.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: If a file ".pdbrc" exists in your home directory or in the current source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF201000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056646945.00007FF8A8592000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057075647.00007FF8A8AA6000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064349266.00007FF8B9843000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056646945.00007FF8A8510000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064730035.00007FF8BA521000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: Initial commands are read from .pdbrc files in your home directory source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF1BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064516661.00007FF8B9F70000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4059892046.00007FF8B6026000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: .pdbrc source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061617679.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062619819.00007FF8B8257000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061617679.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062224509.00007FF8B8002000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057426355.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063561581.00007FF8B8F73000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063905239.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064181504.00007FF8B93CD000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062019830.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062436600.00007FF8B80D1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063733225.00007FF8B8F88000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4049881385.000001BBBC6C0000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: The standard debugger class (pdb.Pdb) is an example. source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052619926.000001BBBFBB0000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061211082.00007FF8B77FD000.00000002.00000001.01000000.00000014.sdmp

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B55610 FindFirstFileExW,	0_2_00007FF720B55610
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B39250 FindFirstFileExW,FindClose,	0_2_00007FF720B39250
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B39250 FindFirstFileExW,FindClose,	2_2_00007FF720B39250
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B55610 FindFirstFileExW,	2_2_00007FF720B55610

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI9842\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI9842\tcl\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 4x nop then sub rsp, 58h	0_2_00007FF720B3DDF0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 4x nop then push rbx	0_2_00007FF720B3E196
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 4x nop then push rbp	2_2_70A2BD40
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 4x nop then push rbp	2_2_70A2BD40
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 4x nop then push rbx	2_2_00007FF720B3E196
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 4x nop then sub rsp, 58h	2_2_00007FF720B3DDF0

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052346971.000001BBBF990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2291267218.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue14443
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053507901.000001BBC04C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2286272911.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2286272911.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEAB0000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2408991201.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp, more.pyc.0.dr	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF0F7000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEBD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlj
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crls
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlts
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF0F7000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlrc
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2286272911.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2286272911.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053901887.000001BBC0A70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053339687.000001BBC0290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052346971.000001BBBF990000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052260874.000001BBBF890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051996425.000001BBBF590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2408991201.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050895842.000001BBBED60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0A4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2375451432.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp, connectionpool.pyc.0.dr	String found in binary or memory: http://google.com/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2375451432.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053901887.000001BBC0A70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.esZ
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2286272911.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2286272911.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050417837.000001BBBE940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: _sfc64.cp310-win_amd64.pyd.0.dr	String found in binary or memory: http://pracrand.sourceforge.net/RNG_engines.txt
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052834567.000001BBBFCE6000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/6p
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/I
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/QI
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/TI
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/fpp5
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/mp
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051996425.000001BBBF590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tip.tcl.tk/48)
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/TT
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/~K_5
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052429365.000001BBBFAAC000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF1BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: _sfc64.cp310-win_amd64.pyd.0.dr	String found in binary or memory: http://www.pcg-random.org/posts/random-invertible-mapping-statistics.html
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEAB0000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE1F000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0D04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7058619531:AAFjAlypCbzRcRc65gGCD1WGy2bRSVD0Yh4/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1314000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7058619531:AAFjAlypCbzRcRc65gGCD1WGy2bRSVD0Yh4/sendPhoto
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1314000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7058619531:AAFjAlypCbzRcRc65gGCD1WGy2bRSVD0Yh4/sendPhotoPI
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF21C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051996425.000001BBBF590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2194891669.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://code.google.com/archive/p/casadebender/wikis/Win32IconImagePlugin.wiki
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/pypa/setuptools
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2192306958.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2192741998.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2193451290.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/
Source: METADATA.0.dr	String found in binary or memory: https://cryptography.io
Source: METADATA.0.dr	String found in binary or memory: https://cryptography.io/
Source: METADATA.0.dr	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: METADATA.0.dr	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: METADATA.0.dr	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/803025117553754132/815945031150993468
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2408604626.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2408604626.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2408604626.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052172362.000001BBBF790000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051911764.000001BBBF490000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050328229.000001BBBE840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2196060584.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageFont.pyc.0.dr	String found in binary or memory: https://dotcolon.net/font/aileron
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2408991201.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2409545518.000001BBBF314000.00000004.00000020.00020000.00000000.sdmp, __init__.pyc62.0.dr	String found in binary or memory: https://github.com/asweigart/pygetwindow
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053507901.000001BBC04C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/asweigart/pyperclip/issues/55
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0A4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050895842.000001BBBED60000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061083435.00007FF8B6214000.00000002.00000001.01000000.00000012.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4061778307.00007FF8B7841000.00000002.00000001.01000000.00000013.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4062099534.00007FF8B78C1000.00000002.00000001.01000000.00000010.sdmp, win32api.pyd.0.dr	String found in binary or memory: https://github.com/mhammond/pywin32
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/black
Source: METADATA.0.dr	String found in binary or memory: https://github.com/pyca/cryptography
Source: METADATA.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/
Source: METADATA.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: METADATA.0.dr, binding.pyc.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: METADATA.0.dr	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050985674.000001BBBEE70000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050985674.000001BBBEE70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging__cached__
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packagingd
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/discussions
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051996425.000001BBBF590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050985674.000001BBBEE70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/workflows/tests/badge.svg
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053339687.000001BBC0290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-pillow/Pillow/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050042291.000001BBBE300000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: __init__.pyc29.0.dr	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2168
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2375451432.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: __init__.pyc29.0.dr	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3020
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEF90000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEA40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEF90000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF21C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEAB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEA40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC3B000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF21C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEAB0000.00000004.00000020.00020000.00000000.sdmp, __init__.pyc73.0.dr	String found in binary or memory: https://httpbin.org/post
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2022-informational
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/discord/803025117553754132
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/setuptools.svg
Source: METADATA.0.dr	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/setuptools.svg
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/readthedocs/setuptools/latest.svg
Source: _legacy.pyc.0.dr	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/json27.39MB
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2409665236.000001BBBF31F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp, request.pyc1.0.dr	String found in binary or memory: https://mahler:8092/site-updates.py
Source: METADATA.0.dr	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mouseinfo.readthedocs.io
Source: _sfc64.cp310-win_amd64.pyd.0.dr	String found in binary or memory: https://numpy.org/devdocs/user/troubleshooting-importerror.html#c-api-incompatibility
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2408991201.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/installing/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053507901.000001BBC04C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pyperclip.readthedocs.io/en/latest/index.html#not-implemented-error
Source: METADATA.0.dr	String found in binary or memory: https://pypi.org/project/cryptography/
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools
Source: __init__.pyc6.0.dr	String found in binary or memory: https://pypi.org/project/typing-extensions/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057426355.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://python.org/dev/peps/pep-0263/
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svg
Source: METADATA.0.dr	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEAB0000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053901887.000001BBC0A70000.00000004.00001000.00020000.00000000.sdmp, __init__.pyc73.0.dr	String found in binary or memory: https://requests.readthedocs.io
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/stable/history.html
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0D04000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/20982715/185510
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052172362.000001BBBF790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/18905702/python-ctypes-and-mutable-buffers
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2408604626.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0A4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052172362.000001BBBF790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/455434/how-should-i-use-formatmessage-properly-in-c
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/github/pypa/setuptools?style=flat
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=readme
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF21C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEA40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051996425.000001BBBF590000.00000004.00001000.00020000.00000000.sdmp, config.pyc.0.dr	String found in binary or memory: https://upload.pypi.org/legacy/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: connectionpool.pyc.0.dr	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2197253400.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEB9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20120328125543/http://www.jpegcameras.com/libjpeg/libjpeg-3.html
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2192741998.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2197253400.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEB9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.archive.org/web/20240227115053/https://exiv2.org/tags.html)
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2195480364.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageCms.pyc.0.dr	String found in binary or memory: https://www.cazabon.com
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2195480364.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageCms.pyc.0.dr	String found in binary or memory: https://www.cazabon.com/pyCMS
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2364674642.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2195480364.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageCms.pyc.0.dr	String found in binary or memory: https://www.littlecms.com
Source: Sp#U251c#U0434ti.exe, 00000000.00000003.2195972635.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageFilter.pyc.0.dr	String found in binary or memory: https://www.mia.uni-saarland.de/Publications/gwosdek-ssvm11.pdf
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057142758.00007FF8A8ADB000.00000002.00000001.01000000.00000015.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4056871059.00007FF8A8609000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEAB0000.00000004.00000020.00020000.00000000.sdmp, __init__.pyc73.0.dr	String found in binary or memory: https://www.python.org
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp, request.pyc1.0.dr	String found in binary or memory: https://www.python.org/
Source: Sp#U251c#U0434ti.exe, 00000002.00000003.2389143180.000001BBBE813000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050417837.000001BBBE940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050042291.000001BBBE300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053053958.000001BBBFDC2000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEF90000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

E-Banking Fraud

Yara detected DanaBot stealer dll

Source: Yara match

File source: 00000002.00000003.2408604626.000001BBBEB51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A97091: DeviceIoControl,

2_2_70A97091

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B37D20	0_2_00007FF720B37D20
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B3AA80	0_2_00007FF720B3AA80
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B3EA10	0_2_00007FF720B3EA10
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B3B258	0_2_00007FF720B3B258
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B3D0E0	0_2_00007FF720B3D0E0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B444B0	0_2_00007FF720B444B0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B324C0	0_2_00007FF720B324C0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B3B458	0_2_00007FF720B3B458
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B39880	0_2_00007FF720B39880
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B40C20	0_2_00007FF720B40C20
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B3B438	0_2_00007FF720B3B438
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A0E6F0	2_2_70A0E6F0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A0A7B0	2_2_70A0A7B0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A6FFB0	2_2_70A6FFB0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A0F7C0	2_2_70A0F7C0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3A0A0	2_2_70A3A0A0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3D800	2_2_70A3D800
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3E860	2_2_70A3E860
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A77190	2_2_70A77190
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A27110	2_2_70A27110
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3B110	2_2_70A3B110
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A7D910	2_2_70A7D910
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A23940	2_2_70A23940
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A5E140	2_2_70A5E140
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A43950	2_2_70A43950
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A6E150	2_2_70A6E150
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A35AF0	2_2_70A35AF0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A0F220	2_2_70A0F220
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A38270	2_2_70A38270
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A36250	2_2_70A36250
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A013E0	2_2_70A013E0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A6C330	2_2_70A6C330
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3D310	2_2_70A3D310
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A22360	2_2_70A22360
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A57370	2_2_70A57370
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A6BB70	2_2_70A6BB70
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3EC80	2_2_70A3EC80
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A34C20	2_2_70A34C20
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A6CC15	2_2_70A6CC15
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A24DA0	2_2_70A24DA0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A265B0	2_2_70A265B0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A965E0	2_2_70A965E0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A7DDF0	2_2_70A7DDF0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A38DC0	2_2_70A38DC0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A6EDC0	2_2_70A6EDC0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A7E510	2_2_70A7E510
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A31570	2_2_70A31570
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A22540	2_2_70A22540
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A2BD40	2_2_70A2BD40
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A41D40	2_2_70A41D40
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3B550	2_2_70A3B550
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A436D0	2_2_70A436D0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A07E20	2_2_70A07E20
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A31E30	2_2_70A31E30
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A6D630	2_2_70A6D630
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A29E70	2_2_70A29E70
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A18E40	2_2_70A18E40
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A56FE2	2_2_70A56FE2
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A3CF20	2_2_70A3CF20
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A36F00	2_2_70A36F00
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A40700	2_2_70A40700
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A26F70	2_2_70A26F70
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B324C0	2_2_00007FF720B324C0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B3EA10	2_2_00007FF720B3EA10
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B3B258	2_2_00007FF720B3B258
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B3AA80	2_2_00007FF720B3AA80
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B444B0	2_2_00007FF720B444B0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B3B458	2_2_00007FF720B3B458
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B40C20	2_2_00007FF720B40C20
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B3B438	2_2_00007FF720B3B438
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B37D20	2_2_00007FF720B37D20
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B3D0E0	2_2_00007FF720B3D0E0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B39880	2_2_00007FF720B39880
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7C11860	2_2_00007FF8A7C11860
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A8026270	2_2_00007FF8A8026270
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7F710FE	2_2_00007FF8A7F710FE
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A8001930	2_2_00007FF8A8001930
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A8012980	2_2_00007FF8A8012980
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A80471B0	2_2_00007FF8A80471B0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A80BB1D0	2_2_00007FF8A80BB1D0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7F911D0	2_2_00007FF8A7F911D0

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 70A04230 appears 238 times
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 70A2D400 appears 325 times
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 00007FF8A8068BD0 appears 138 times
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 70A96CA0 appears 192 times
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 00007FF720B32C10 appears 100 times
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 70A96730 appears 31 times
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 00007FF720B32CF0 appears 178 times
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: String function: 00007FF720B32D90 appears 32 times

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: Sp#U251c#U0434ti.exe

Static PE information: Number of sections : 11 > 10

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: Sp#U251c#U0434ti.exe	Binary or memory string: OriginalFilename vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057142758.00007FF8A8ADB000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibsslH vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063800245.00007FF8B8F92000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062517197.00007FF8B810C000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062685766.00007FF8B825E000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064076561.00007FF8B9104000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062289498.00007FF8B800D000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4058371903.00007FF8A8F28000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython310.dll. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4055332933.00007FF8A7D21000.00000002.00000001.01000000.00000021.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061447753.00007FF8B7815000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4058934611.00007FF8B056A000.00000002.00000001.01000000.00000023.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4049881385.000001BBBC6C0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061083435.00007FF8B6214000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063627925.00007FF8B8F76000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061778307.00007FF8B7841000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056871059.00007FF8A8609000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063178738.00007FF8B8AFA000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060057880.00007FF8B602E000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064801225.00007FF8BA527000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056243890.00007FF8A8292000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: OriginalFilenametk86.dllP vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064249011.00007FF8B93D2000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060460070.00007FF8B604E000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilename_tkinter.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063451222.00007FF8B8CB9000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064414196.00007FF8B9846000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062099534.00007FF8B78C1000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4055988472.00007FF8A8128000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: OriginalFilenametcl86.dllP vs Sp#U251c#U0434ti.exe
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064590597.00007FF8B9F7D000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs Sp#U251c#U0434ti.exe

Source: Sp#U251c#U0434ti.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9902948700221239

Source: classification engine

Classification label: mal72.troj.evad.winEXE@11/1025@2/2

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 0_2_00007FF720B38BB0 FormatMessageW,WideCharToMultiByte,GetLastError,

0_2_00007FF720B38BB0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI9842

Jump to behavior

Source: Sp#U251c#U0434ti.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Sp#U251c#U0434ti.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

File read: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe "C:\Users\user\Desktop\Sp#U251c#U0434ti.exe"
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe "C:\Users\user\Desktop\Sp#U251c#U0434ti.exe"
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe "C:\Users\user\Desktop\Sp#U251c#U0434ti.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: tcl86t.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: tk86t.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Sp#U251c#U0434ti.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Sp#U251c#U0434ti.exe

Static file information: File size 37180338 > 1048576

Source: Sp#U251c#U0434ti.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060720861.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4055131294.00007FF8A7D1C000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb## source: Sp#U251c#U0434ti.exe, 00000002.00000002.4058618897.00007FF8B0559000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: ucrtbase.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062436600.00007FF8B80D1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbMM source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063905239.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4058618897.00007FF8B0559000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: .pdbrcO` source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057075647.00007FF8A8AA6000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063350800.00007FF8B8CB5000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pythoncom.pdb}},GCTL source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060720861.00007FF8B61CC000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056646945.00007FF8A8510000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: ~/.pdbrc source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063101715.00007FF8B8AF5000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: placed in the .pdbrc file): source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF201000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pdb.Pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4060299096.00007FF8B6048000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: -c are executed after commands from .pdbrc files. source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF1BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062019830.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: If a file ".pdbrc" exists in your home directory or in the current source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF201000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056646945.00007FF8A8592000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057075647.00007FF8A8AA6000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064349266.00007FF8B9843000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1t 7 Feb 2023built on: Thu Feb 9 15:27:40 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: Sp#U251c#U0434ti.exe, 00000002.00000002.4056646945.00007FF8A8510000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064730035.00007FF8BA521000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: Initial commands are read from .pdbrc files in your home directory source: Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF1BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064516661.00007FF8B9F70000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4059892046.00007FF8B6026000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: .pdbrc source: Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb!! source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061617679.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062619819.00007FF8B8257000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32api.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061617679.00007FF8B7833000.00000002.00000001.01000000.00000013.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062224509.00007FF8B8002000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python310.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4057426355.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063561581.00007FF8B8F73000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063905239.00007FF8B90FB000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4064181504.00007FF8B93CD000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\pywintypes.pdb** source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062019830.00007FF8B78B0000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: Sp#U251c#U0434ti.exe, 00000002.00000002.4062436600.00007FF8B80D1000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4063733225.00007FF8B8F88000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4049881385.000001BBBC6C0000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: The standard debugger class (pdb.Pdb) is an example. source: Sp#U251c#U0434ti.exe, 00000002.00000002.4052619926.000001BBBFBB0000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: Sp#U251c#U0434ti.exe, 00000002.00000002.4061211082.00007FF8B77FD000.00000002.00000001.01000000.00000014.sdmp

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A70C90 LoadLibraryA,GetProcAddress,GetCurrentThread,RtlWow64SetThreadContext,

2_2_70A70C90

Source: Sp#U251c#U0434ti.exe	Static PE information: section name: .xdata
Source: python310.dll.0.dr	Static PE information: section name: PyRuntim
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: _imagingft.cp310-win_amd64.pyd.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B4DFA0 push rsi; retf	0_2_00007FF720B4DFA1
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B4DFA0 push rsi; retf	2_2_00007FF720B4DFA1
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D34AEE push 6FFDC5D5h; iretd	2_2_00007FF8A7D34AF4
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D376D3 push 6FFDC5D5h; iretd	2_2_00007FF8A7D376D9
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D34640 push 60F5C5F1h; iretd	2_2_00007FF8A7D34648
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D37425 push 60F5C5F1h; iretd	2_2_00007FF8A7D3742D
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D34FEA push 6FFDC5C3h; iretd	2_2_00007FF8A7D34FF0
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D379CF push 6FFDC5C3h; iretd	2_2_00007FF8A7D379D5
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D34F9E push 6FFDC5CAh; ret	2_2_00007FF8A7D34FA4
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7D37983 push 6FFDC5CAh; ret	2_2_00007FF8A7D37989

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		2_2_70A22B90
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		2_2_70A227E0

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Process created: "C:\Users\user\Desktop\Sp#U251c#U0434ti.exe"

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_bounded_integers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_generator.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\bit_generator.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_mt19937.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_common.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\win32pdh.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\yaml\_yaml.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\mtrand.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_pcg64.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_sfc64.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_philox.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\linalg\_umath_linalg.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingmath.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\win32ui.pyd	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		2_2_70A22B90
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		2_2_70A227E0

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 0_2_00007FF720B35780 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF720B35780

Source: C:\Windows\System32\wbem\WMIC.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_bounded_integers.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_generator.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\bit_generator.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_webp.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_mt19937.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_common.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\win32pdh.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imaging.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingcms.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingft.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\yaml\_yaml.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\mtrand.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_pcg64.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_sfc64.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\random\_philox.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingtk.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\linalg\_umath_linalg.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingmath.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\win32ui.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-8710

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

API coverage: 4.8 %

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B55610 FindFirstFileExW,	0_2_00007FF720B55610
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B39250 FindFirstFileExW,FindClose,	0_2_00007FF720B39250
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B39250 FindFirstFileExW,FindClose,	2_2_00007FF720B39250
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B55610 FindFirstFileExW,	2_2_00007FF720B55610

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A06A70 GetSystemInfo,VirtualAlloc,VirtualAlloc,

2_2_70A06A70

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI9842\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI9842\tcl\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior

Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxtray
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEA40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\|
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareuser
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmusrvc
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmsrvc
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmtoolsd
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwaretray
Source: Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0DAC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmwareservice

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A70C60 IsDebuggerPresent,IsDebuggerPresent,

2_2_70A70C60

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A70C90 LoadLibraryA,GetProcAddress,GetCurrentThread,RtlWow64SetThreadContext,

2_2_70A70C90

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A22A90 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,HeapFree,GetNetworkParams,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

2_2_70A22A90

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B31180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,wcslen,malloc,memcpy,_initterm,	0_2_00007FF720B31180
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 0_2_00007FF720B556C8 SetUnhandledExceptionFilter,WideCharToMultiByte,	0_2_00007FF720B556C8
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_70A95380 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	2_2_70A95380
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B31180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,wcslen,malloc,memcpy,_initterm,	2_2_00007FF720B31180
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF720B556C8 SetUnhandledExceptionFilter,WideCharToMultiByte,	2_2_00007FF720B556C8
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7C13028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A7C13028
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Code function: 2_2_00007FF8A7C12A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A7C12A60

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe "C:\Users\user\Desktop\Sp#U251c#U0434ti.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid	Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_00007FF8A7D31000 cpuid

2_2_00007FF8A7D31000

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\_endian.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\_endian.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\_endian.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ctypes\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\shutil.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\shutil.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\shutil.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\fnmatch.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\fnmatch.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\fnmatch.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bz2.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bz2.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bz2.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_compression.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_compression.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_compression.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\lzma.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\lzma.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\lzma.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\subprocess.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\subprocess.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\subprocess.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\signal.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\signal.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\signal.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\threading.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\threading.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\threading.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\contextlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\contextlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\contextlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-debug-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-file-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-file-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-file-l2-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-heap-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-localization-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-memory-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-namedpipe-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-processenvironment-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-profile-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-string-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-core-synch-l1-2-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-crt-convert-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-crt-filesystem-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-crt-process-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-crt-runtime-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\api-ms-win-crt-string-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ast.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\asyncio VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base64.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bdb.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bisect.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\calendar.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\cgi.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\code.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\codeop.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\colorsys.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\csv.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\difflib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\doctest.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\fnmatch.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\getpass.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\opcode.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\packaging VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\platform.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\plugs.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pprint.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pyrect VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pyscreeze VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\python310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pythoncom.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\py_compile.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\stringprep.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\token.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\inspect.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\inspect.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\inspect.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ast.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ast.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\ast.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\dis.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\dis.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\dis.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\opcode.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\opcode.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\opcode.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\machinery.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\machinery.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\machinery.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tokenize.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tokenize.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tokenize.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\token.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\token.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\token.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pathlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pathlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pathlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib\parse.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib\parse.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\urllib\parse.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkgutil.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkgutil.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkgutil.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\_abc.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\_abc.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\importlib\_abc.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_pyi_rth_utils\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_pyi_rth_utils\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_pyi_rth_utils\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\context.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\context.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\context.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\process.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\process.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\process.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\reduction.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\reduction.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\reduction.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pickle.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pickle.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pickle.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_compat_pickle.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_compat_pickle.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_compat_pickle.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\socket.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\socket.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\socket.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\selectors.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\selectors.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\selectors.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\spawn.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\spawn.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\spawn.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\runpy.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\runpy.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\runpy.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\util.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\popen_spawn_win32.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\popen_spawn_win32.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\multiprocessing\popen_spawn_win32.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tcl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tk VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkg_resources\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkg_resources\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkg_resources\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\zipfile.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\zipfile.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\zipfile.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\platform.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\platform.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\platform.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\plistlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\plistlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\plistlib.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\datetime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\datetime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\datetime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers\expat.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers\expat.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\xml\parsers\expat.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\__init__.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\parser.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\parser.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\parser.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\feedparser.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\feedparser.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\feedparser.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\errors.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\errors.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\errors.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\_policybase.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\_policybase.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\_policybase.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\header.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\header.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\header.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\quoprimime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\quoprimime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\quoprimime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\string.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\string.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\string.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\base64mime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\base64mime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\base64mime.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base64.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base64.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base64.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\charset.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\charset.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\charset.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\encoders.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\encoders.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\encoders.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\quopri.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\quopri.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\quopri.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\utils.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\utils.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\utils.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\random.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\random.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\random.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bisect.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bisect.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\bisect.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\_parseaddr.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\_parseaddr.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\email\_parseaddr.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\calendar.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\calendar.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\calendar.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tempfile.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tempfile.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\tempfile.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\textwrap.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\textwrap.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\textwrap.pyc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkg_resources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkg_resources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkg_resources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI9842\pkg_resources\extern\__init__.pyc VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A952A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_70A952A0

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Code function: 2_2_70A70CFC GetVersion,GetCurrentThread,

2_2_70A70CFC

Source: C:\Users\user\Desktop\Sp#U251c#U0434ti.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DanaBot stealer dll

Source: Yara match

File source: 00000002.00000003.2408604626.000001BBBEB51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected DanaBot stealer dll

Source: Yara match

File source: 00000002.00000003.2408604626.000001BBBEB51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Bootkit	11 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	36 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Sp#U251c#U0434ti.exe	5%	ReversingLabs
Sp#U251c#U0434ti.exe	7%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imaging.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imaging.cp310-win_amd64.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingcms.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingcms.cp310-win_amd64.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingft.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingft.cp310-win_amd64.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingmath.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingmath.cp310-win_amd64.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingtk.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingtk.cp310-win_amd64.pyd	3%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_webp.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_webp.cp310-win_amd64.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\mfc140u.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\Pythonwin\win32ui.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\VCRUNTIME140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\VCRUNTIME140_1.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\_asyncio.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\_bz2.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\_cffi_backend.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\_cffi_backend.cp310-win_amd64.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\_ctypes.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md.cp310-win_amd64.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\cryptography\hazmat\bindings\_rust.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\cryptography\hazmat\bindings\_rust.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\linalg\_umath_linalg.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI9842\numpy\linalg\_umath_linalg.cp310-win_amd64.pyd	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://crl.dhimyotis.com/certignarootca.crl	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
https://foss.heptapod.net/pypy/pypy/-/issues/3539	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl	0%	URL Reputation	safe
https://blog.jaraco.com/skeleton	0%	Virustotal		Browse
https://dotcolon.net/font/aileron	0%	Virustotal		Browse
http://crl.securetrust.com/SGCA.crlts	0%	Virustotal		Browse
https://www.littlecms.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
api.telegram.org	149.154.167.220	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/asweigart/pyperclip/issues/55	Sp#U251c#U0434ti.exe, 00000002.00000002.4053507901.000001BBC04C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0A4C000.00000004.00001000.00020000.00000000.sdmp	false		high
http://aka.ms/vcpython27	Sp#U251c#U0434ti.exe, 00000002.00000002.4052346971.000001BBBF990000.00000004.00001000.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2022-informational	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.archive.org/web/20240227115053/https://exiv2.org/tags.html)	Sp#U251c#U0434ti.exe, 00000000.00000003.2197253400.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEB9C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	Sp#U251c#U0434ti.exe, 00000002.00000002.4061083435.00007FF8B6214000.00000002.00000001.01000000.00000012.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4061778307.00007FF8B7841000.00000002.00000001.01000000.00000013.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4062099534.00007FF8B78C1000.00000002.00000001.01000000.00000010.sdmp, win32api.pyd.0.dr	false		high
http://repository.swisssign.com/I	Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/pyversions/setuptools.svg	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/pypi/v/setuptools.svg	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2168	__init__.pyc29.0.dr	false		high
https://web.archive.org/web/20170802060935/http://oss.sgi.com/projects/ogl-sample/registry/EXT/textu	Sp#U251c#U0434ti.exe, 00000000.00000003.2192741998.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/library/unittest.html	Sp#U251c#U0434ti.exe, 00000002.00000003.2408991201.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://python.org/dev/peps/pep-0263/	Sp#U251c#U0434ti.exe, 00000002.00000002.4057426355.00007FF8A8E1F000.00000002.00000001.01000000.00000005.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/actions?query=workflow%3ACI	METADATA.0.dr	false		high
https://tidelift.com/security	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0A4C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF21C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://bugs.python.org/issue14443	Sp#U251c#U0434ti.exe, 00000000.00000003.2291267218.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	Sp#U251c#U0434ti.exe, 00000002.00000002.4050985674.000001BBBEE70000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/fpp5	Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crlts	Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://stackoverflow.com/questions/19622133/	Sp#U251c#U0434ti.exe, 00000002.00000002.4051996425.000001BBBF590000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7058619531:AAFjAlypCbzRcRc65gGCD1WGy2bRSVD0Yh4/sendPhotoPI	Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1314000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7058619531:AAFjAlypCbzRcRc65gGCD1WGy2bRSVD0Yh4/	Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0D04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/TI	Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pypi.org/project/setuptools	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/workflows/tests/badge.svg	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/json	Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1300000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill	Sp#U251c#U0434ti.exe, 00000002.00000002.4053339687.000001BBC0290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.littlecms.com	Sp#U251c#U0434ti.exe, 00000000.00000003.2195480364.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageCms.pyc.0.dr	false	0%, Virustotal, Browse	unknown
http://crl.dhimyotis.com/certignarootca.crl	Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://curl.haxx.se/rfc/cookie_spec.html	Sp#U251c#U0434ti.exe, 00000002.00000002.4053901887.000001BBC0A70000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packagingd	Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	Sp#U251c#U0434ti.exe, 00000002.00000002.4052346971.000001BBBF990000.00000004.00001000.00020000.00000000.sdmp	false		high
https://stackoverflow.com/questions/455434/how-should-i-use-formatmessage-properly-in-c	Sp#U251c#U0434ti.exe, 00000002.00000002.4052172362.000001BBBF790000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3020	__init__.pyc29.0.dr	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/pprint.html	Sp#U251c#U0434ti.exe, 00000002.00000003.2408604626.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	Sp#U251c#U0434ti.exe, 00000002.00000002.4050042291.000001BBBE300000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://numpy.org/devdocs/user/troubleshooting-importerror.html#c-api-incompatibility	_sfc64.cp310-win_amd64.pyd.0.dr	false		high
https://httpbin.org/get	Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC3B000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF21C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/mp	Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-pillow/Pillow/	Sp#U251c#U0434ti.exe, 00000002.00000002.4053339687.000001BBC0290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	Sp#U251c#U0434ti.exe, 00000002.00000002.4053901887.000001BBC0A70000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEA40000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	METADATA.0.dr	false		high
https://wwww.certigna.fr/autorites/	Sp#U251c#U0434ti.exe, 00000002.00000002.4053053958.000001BBBFDC2000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://codecov.io/gh/pypa/setuptools	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Sp#U251c#U0434ti.exe, 00000000.00000003.2375451432.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	METADATA.0.dr	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387009360.000001BBBDEDE000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html	Sp#U251c#U0434ti.exe, 00000002.00000003.2408604626.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052172362.000001BBBF790000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050504142.000001BBBEC0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	Sp#U251c#U0434ti.exe, 00000002.00000002.4050985674.000001BBBEE70000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ipinfo.io/json27.39MB	Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1300000.00000004.00001000.00020000.00000000.sdmp	false		high
https://stackoverflow.com/a/20982715/185510	Sp#U251c#U0434ti.exe, 00000002.00000002.4054126894.000001BBC0D04000.00000004.00001000.00020000.00000000.sdmp	false		high
https://dotcolon.net/font/aileron	Sp#U251c#U0434ti.exe, 00000000.00000003.2196060584.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageFont.pyc.0.dr	false	0%, Virustotal, Browse	unknown
https://www.mia.uni-saarland.de/Publications/gwosdek-ssvm11.pdf	Sp#U251c#U0434ti.exe, 00000000.00000003.2195972635.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, ImageFilter.pyc.0.dr	false		high
http://github.com/ActiveState/appdirs	Sp#U251c#U0434ti.exe, 00000002.00000002.4050895842.000001BBBED60000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wiki.debian.org/XDGBaseDirectorySpecification#state	Sp#U251c#U0434ti.exe, 00000002.00000002.4049592911.000001BBBC4AF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wwwsearch.sf.net/):	Sp#U251c#U0434ti.exe, 00000002.00000002.4052513393.000001BBBFB17000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7058619531:AAFjAlypCbzRcRc65gGCD1WGy2bRSVD0Yh4/sendPhoto	Sp#U251c#U0434ti.exe, 00000002.00000002.4054324335.000001BBC1314000.00000004.00001000.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	Sp#U251c#U0434ti.exe, 00000002.00000002.4053623011.000001BBC0710000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/security/	METADATA.0.dr	false		high
http://crl.xrampsecurity.com/XGCA.crl0	Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF0F7000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugs.python.org/issue44497.	Sp#U251c#U0434ti.exe, 00000002.00000002.4051996425.000001BBBF590000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEF90000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050808567.000001BBBEC40000.00000004.00001000.00020000.00000000.sdmp	false		high
https://askubuntu.com/questions/697397/python3-is-not-supporting-gtk-module	Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF21C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	Sp#U251c#U0434ti.exe, 00000002.00000002.4050895842.000001BBBED60000.00000004.00001000.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4052085116.000001BBBF690000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	Sp#U251c#U0434ti.exe, 00000002.00000002.4052994203.000001BBBFD28000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4050210280.000001BBBE740000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	Sp#U251c#U0434ti.exe, 00000002.00000003.2387078291.000001BBBDEDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	METADATA.0.dr, binding.pyc.0.dr	false		high
http://bugs.python.org/issue23606)	Sp#U251c#U0434ti.exe, 00000002.00000002.4053507901.000001BBC04C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/cryptography/badge/?version=latest	METADATA.0.dr	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	Sp#U251c#U0434ti.exe, 00000000.00000003.2375451432.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/installing/	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	Sp#U251c#U0434ti.exe, 00000000.00000003.2375451432.0000023D82E0C000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000002.4051136310.000001BBBEFE1000.00000004.00000020.00020000.00000000.sdmp, connectionpool.pyc.0.dr	false		high
https://mahler:8092/site-updates.py	Sp#U251c#U0434ti.exe, 00000002.00000002.4052695743.000001BBBFC09000.00000004.00000020.00020000.00000000.sdmp, request.pyc1.0.dr	false		low
http://crl.securetrust.com/SGCA.crl	Sp#U251c#U0434ti.exe, 00000002.00000002.4053096462.000001BBBFE3F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/asweigart/pygetwindow	Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DE5000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000000.00000003.2282603222.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2408991201.000001BBBF29D000.00000004.00000020.00020000.00000000.sdmp, Sp#U251c#U0434ti.exe, 00000002.00000003.2409545518.000001BBBF314000.00000004.00000020.00020000.00000000.sdmp, __init__.pyc62.0.dr	false		high
http://.../back.jpeg	Sp#U251c#U0434ti.exe, 00000002.00000002.4053790133.000001BBC0960000.00000004.00001000.00020000.00000000.sdmp	false		low
https://github.com/psf/black	Sp#U251c#U0434ti.exe, 00000000.00000003.2289599566.0000023D82DDA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography	METADATA.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428521
Start date and time:	2024-04-19 05:49:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Sp#U251c#U0434ti.exe renamed because original name is a hash value
Original Sample Name:	Spti.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@11/1025@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 67 Number of non-executed functions: 197
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 40.126.28.23, 40.126.28.13, 40.126.28.20, 40.126.28.22, 40.126.28.19, 40.126.28.11, 40.126.28.12, 40.126.7.32, 13.89.179.12
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
149.154.167.220	s.exe	Get hash	malicious	Unknown	Browse
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse
	cc.exe	Get hash	malicious	Unknown	Browse
	SHARPIL RAT.exe	Get hash	malicious	SHARPIL RAT	Browse
	SHARPIL RAT.exe	Get hash	malicious	SHARPIL RAT	Browse
	cs2aimwallhack.exe	Get hash	malicious	Unknown	Browse
	PO JSC_109117.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	34.117.186.192
	s.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	dendy.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	EpsilonFruit.exe	Get hash	malicious	Pafish	Browse	34.117.186.192
	Q73YlTAmWe.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
api.telegram.org	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cc.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SHARPIL RAT.exe	Get hash	malicious	SHARPIL RAT	Browse	149.154.167.220
	SHARPIL RAT.exe	Get hash	malicious	SHARPIL RAT	Browse	149.154.167.220
	cs2aimwallhack.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO JSC_109117.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	s.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	New Soft Update.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	pQTmpNQX2u.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cc.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	SHARPIL RAT.exe	Get hash	malicious	SHARPIL RAT	Browse	149.154.167.220
	SHARPIL RAT.exe	Get hash	malicious	SHARPIL RAT	Browse	149.154.167.220
	cs2aimwallhack.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	SecuriteInfo.com.Win32.Evo-gen.15237.11182.exe	Get hash	malicious	Amadey, RedLine, RisePro Stealer	Browse	34.117.186.192
	lQV0SgKoqe.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	lQV0SgKoqe.exe	Get hash	malicious	Unknown	Browse	34.117.118.44
	s.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	34.117.186.192
	UeW2b6mU6Z.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	34.117.186.192
	tA6etkt3gb.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	Cheater Pro 1.6.0.msi	Get hash	malicious	Unknown	Browse	34.117.188.166
	Cheat Lab 2.7.2.msi	Get hash	malicious	Unknown	Browse	34.117.188.166

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingft.cp310-win_amd64.pyd	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse
	cc.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imagingcms.cp310-win_amd64.pyd	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse
	cc.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\_imaging.cp310-win_amd64.pyd	Sp#U251c#U0434ti.exe	Get hash	malicious	Unknown	Browse
	cc.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\Desktop\Sp#U251c#U0434ti.exe
File Type:	data
Category:	dropped
Size (bytes):	12338
Entropy (8bit):	5.522438289772174
Encrypted:	false
SSDEEP:	192:Px9Eb9UdoExZPdKd6OnMT9LrEhdFYOyIpz/+I4L/fCmziRFy3bYEIASsK:gxExZVcMNr6YJozGIqfojyq
MD5:	78878945E500DF6EA8BB8E0BFFC47836
SHA1:	AD45B605DD76F0FB1485420D5E2F64AA225E3748
SHA-256:	9D0A853B78DB84788FAAB128EF92B80F256C5A0E076EB25C17FEF34FD8AF92AC
SHA-512:	60CAF097469F16C1966BC51322E05B84D5983BCB86D95CABE535D7BE37B5CCB0B54DECDBFC0FAFA5385EC309196B7F8C56C7AA7F24AE337AD5EA6E443C83ED3D
Malicious:	false
Reputation:	low
Preview:	o....................................@....d...d.Z.d.d.l.m.Z...d.d.l.Z.d.d.l.Z.d.d.l.m.Z...d.d.l.m.Z...d.d.l.m.Z.m.Z...G.d.d...d.e...Z.G.d.d...d.e...Z.G.d.d...d.e...Z.d.d...Z.d+d.d...Z.d.d...Z.d.d...Z.G.d.d...d.e...Z.d.d...Z.G.d.d...d.e.j...Z.G.d.d...d.e.j...Z.G.d.d ..d e...Z.G.d!d"..d"e...Z.G.d#d$..d$e.j...Z.d%d&..Z.e...e.j.e.e.....e.. e.j.d'....e..!d(e.....e..!d)e.....e.."e.j.e.....e..#d*e.....d.S.),......Blizzard Mipmap Format (.blp).Jerome Leclanche <jerome@leclan.ch>..The contents of this file are hereby released in the public domain (CC0).Full text of the CC0 license:. https://creativecommons.org/publicdomain/zero/1.0/..BLP1 files, used mostly in Warcraft III, are not fully supported..All types of BLP2 files used in World of Warcraft are supported...The BLP file structure consists of a header, up to 16 mipmaps of the.texture..Texture sizes must be powers of two, though the two dimensions do.not have to be equal; 512x256 is valid, but 512x200 is not..The first mipmap (mipmap #0) i

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.997760605098713
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	Sp#U251c#U0434ti.exe
File size:	37'180'338 bytes
MD5:	0ceaf63f222faad3bfa66b0bcbddca69
SHA1:	d9eb66edd0a0657be291ef9c52390a6f5a12ddf5
SHA256:	dbdf5ccea961db26a656fca73bcac131fe7a28fde408e4892a669c941c1376bf
SHA512:	12170462079637a959e38a6a4baf00a3242b6189fb59fc11f6e255830ba0cf1b03f805866b5511d377d2e9c2953a71152fbf8f8fcf251fa1f04d6e98d3b16aa5
SSDEEP:	786432:9GeCRQjyXVs4jGb0w52j6+s7LWB75zu5OoiUbW8YOd9in9Y:oPQWXV9ybR52qHWB75iJiUbW/C
TLSH:	D68733AB6341586AF1ADAE3BF4A04B713571F04516F27607ABF49F360DCE5E2AD34220
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....!f...............).d....... .............@.............................p......N58...`................................

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6621E3F9 [Fri Apr 19 03:24:41 2024 UTC]
TLS Callbacks:	0x4000da50, 0x1, 0x4000da20, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a3d629f5a29590a5e3c40a85e9084e58

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25000	0x15b4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29000	0x1c30c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x21000	0xdec	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46000	0x138	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1eb20	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x25570	0x4e0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x163d8	0x16400	e40ff6e5deed41350070ce21759c15e8	False	0.5146045470505618	data	6.299774421507668	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x18000	0x120	0x200	f61cb4423a73c5bf9e6df17b852131ab	False	0.1640625	data	1.2479383533347042	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x19000	0x77a0	0x7800	f4de28c84a38fd713c00783febaa160f	False	0.5194010416666667	data	6.604838598246207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x21000	0xdec	0xe00	91450add642cb0d3bb2c39150a48e10a	False	0.5072544642857143	data	5.016289141770577	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x22000	0xe34	0x1000	f20b3c68c38ec255890ec28667f5a5f3	False	0.248046875	data	4.13670878351862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x23000	0x1e60	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x25000	0x15b4	0x1600	4fd029a0b35c1c83484df6ff3253e963	False	0.32954545454545453	data	4.418521235192165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x27000	0x60	0x200	ecfc875572379037f056e51d3e6fd71c	False	0.068359375	data	0.28655982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x28000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x29000	0x1c30c	0x1c400	10d3531981ee3f6311f4b3889ece5957	False	0.9902948700221239	data	7.986636678670288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x46000	0x138	0x200	907f2920aa92a1918d1994583c43156e	False	0.48828125	data	3.539661364542608	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x29208	0x366	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.0126436781609196
RT_ICON	0x29570	0x67c	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.0066265060240964
RT_ICON	0x29bec	0x9cd	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.00438421681945
RT_ICON	0x2a5bc	0x12d6	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.0022812111157196
RT_ICON	0x2b894	0x1dfc	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.0014330380406462
RT_ICON	0x2d690	0x5ce4	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	1.0006728343145501
RT_ICON	0x33374	0x11a1f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0004292261467953
RT_GROUP_ICON	0x44d94	0x68	data	0.7788461538461539
RT_MANIFEST	0x44dfc	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

DLL	Import
ADVAPI32.dll	ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetTokenInformation, OpenProcessToken
COMCTL32.dll	LoadIconMetric
GDI32.dll	CreateFontIndirectW, DeleteObject, SelectObject
KERNEL32.dll	AreFileApisANSI, CloseHandle, CreateDirectoryW, CreateProcessW, CreateSymbolicLinkW, DeleteCriticalSection, EnterCriticalSection, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FormatMessageW, FreeLibrary, GetCommandLineW, GetCurrentProcess, GetEnvironmentVariableW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleW, GetProcAddress, GetStartupInfoW, GetTempPathW, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryExW, LocalFree, MulDiv, MultiByteToWideChar, SetConsoleCtrlHandler, SetDllDirectoryW, SetEnvironmentVariableW, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argc, __iob_func, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _commode, _errno, _filelengthi64, _fileno, _findclose, _fileno, _fmode, _get_osfhandle, _getpid, _initterm, _lock, _onexit, _snwprintf, _stat64, _strdup, _stricmp, _unlock, _wcmdln, _wcsdup, _wcsdup, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wputenv_s, _wremove, _wrmdir, _wstat64, _wtempnam, abort, calloc, clearerr, exit, fclose, feof, ferror, fflush, fgetpos, fprintf, fputc, fputwc, fread, free, fsetpos, fwprintf, fwrite, iswctype, localeconv, malloc, mbstowcs, memcmp, memcpy, memset, perror, realloc, signal, strcat, strchr, strcmp, strcpy, strerror, strlen, strncat, strncmp, strncpy, strtok, strtoul, vfprintf, wcscat, wcschr, wcscmp, wcscpy, wcslen, wcsncpy
USER32.dll	CreateWindowExW, DestroyIcon, DialogBoxIndirectParamW, DrawTextW, EndDialog, GetClientRect, GetDC, GetDialogBaseUnits, GetWindowLongPtrW, InvalidateRect, MessageBoxA, MessageBoxW, MoveWindow, ReleaseDC, SendMessageW, SetWindowLongPtrW, SystemParametersInfoW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 05:51:10.555835962 CEST	49726	443	192.168.2.5	34.117.186.192
Apr 19, 2024 05:51:10.555922031 CEST	443	49726	34.117.186.192	192.168.2.5
Apr 19, 2024 05:51:10.556042910 CEST	49726	443	192.168.2.5	34.117.186.192
Apr 19, 2024 05:51:10.568427086 CEST	49726	443	192.168.2.5	34.117.186.192
Apr 19, 2024 05:51:10.568500996 CEST	443	49726	34.117.186.192	192.168.2.5
Apr 19, 2024 05:51:10.796286106 CEST	443	49726	34.117.186.192	192.168.2.5
Apr 19, 2024 05:51:10.797483921 CEST	49726	443	192.168.2.5	34.117.186.192
Apr 19, 2024 05:51:10.797542095 CEST	443	49726	34.117.186.192	192.168.2.5
Apr 19, 2024 05:51:10.799251080 CEST	443	49726	34.117.186.192	192.168.2.5
Apr 19, 2024 05:51:10.799339056 CEST	49726	443	192.168.2.5	34.117.186.192
Apr 19, 2024 05:51:10.800359964 CEST	49726	443	192.168.2.5	34.117.186.192
Apr 19, 2024 05:51:10.800529003 CEST	49726	443	192.168.2.5	34.117.186.192
Apr 19, 2024 05:51:11.209531069 CEST	49727	443	192.168.2.5	149.154.167.220
Apr 19, 2024 05:51:11.209567070 CEST	443	49727	149.154.167.220	192.168.2.5
Apr 19, 2024 05:51:11.209729910 CEST	49727	443	192.168.2.5	149.154.167.220
Apr 19, 2024 05:51:11.219283104 CEST	49727	443	192.168.2.5	149.154.167.220
Apr 19, 2024 05:51:11.219296932 CEST	443	49727	149.154.167.220	192.168.2.5
Apr 19, 2024 05:51:11.655267954 CEST	443	49727	149.154.167.220	192.168.2.5
Apr 19, 2024 05:51:11.655771017 CEST	49727	443	192.168.2.5	149.154.167.220
Apr 19, 2024 05:51:11.655792952 CEST	443	49727	149.154.167.220	192.168.2.5
Apr 19, 2024 05:51:11.657490015 CEST	443	49727	149.154.167.220	192.168.2.5
Apr 19, 2024 05:51:11.657656908 CEST	49727	443	192.168.2.5	149.154.167.220
Apr 19, 2024 05:51:11.658066988 CEST	49727	443	192.168.2.5	149.154.167.220
Apr 19, 2024 05:51:11.658188105 CEST	49727	443	192.168.2.5	149.154.167.220

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 19, 2024 05:51:10.445969105 CEST	59570	53	192.168.2.5	1.1.1.1
Apr 19, 2024 05:51:10.551595926 CEST	53	59570	1.1.1.1	192.168.2.5
Apr 19, 2024 05:51:11.103113890 CEST	56552	53	192.168.2.5	1.1.1.1
Apr 19, 2024 05:51:11.208353043 CEST	53	56552	1.1.1.1	192.168.2.5

Target ID:	0
Start time:	05:50:46
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\Sp#U251c#U0434ti.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Sp#U251c#U0434ti.exe"
Imagebase:	0x7ff720b30000
File size:	37'180'338 bytes
MD5 hash:	0CEAF63F222FAAD3BFA66B0BCBDDCA69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	05:51:05
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\Sp#U251c#U0434ti.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Sp#U251c#U0434ti.exe"
Imagebase:	0x7ff720b30000
File size:	37'180'338 bytes
MD5 hash:	0CEAF63F222FAAD3BFA66B0BCBDDCA69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DanaBot_stealer_dll_1, Description: Yara detected DanaBot stealer dll, Source: 00000002.00000003.2408604626.000001BBBEB51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	05:51:06
Start date:	19/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff7a2e90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	05:51:08
Start date:	19/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
Imagebase:	0x7ff7a2e90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.2%
Total number of Nodes:	1210
Total number of Limit Nodes:	21

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Sp#U251c#U0434ti.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\BlpImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\BmpImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\BufrStubImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\CurImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\DcxImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\DdsImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\EpsImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\ExifTags.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\FitsImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\FliImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\FpxImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\FtexImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\GbrImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\GifImagePlugin.pyc

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\GimpGradientFile.pyc

Windows Analysis Report
Sp#U251c#U0434ti.exe

C:\Users\user\AppData\Local\Temp\_MEI9842\PIL\init.pyc

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre